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METHOD OF DATA PROCESSING AND PLANT OPERATION 



This invention relates to a plant monitor system which could 
for example be used in connection with the control of operation of a 
commercial nuclear power plant. 

Conventionally, commercial nuclear power plants have a 
central control room containing equipment by which the operator 
collects, detects, reads, compares, copies, computes, compiles, 
analyzes, confirms, monitors, and/or verifies many bits of information 
from multiple indicators and alarms. Conventionally, the major 
operational systems in the control room have been installed and operate 
somewhat independently. These include the monitoring function, by 
which the components and the various processes in the plant are 
monitored; control, by which the components and the processes are 
intentionally altered or adjusted, and protection, by which a threat to 
the safety of the plant is identified and corrective measures 
immediately taken. 

The result of such conventional control room arrangement and 
functionality can sometimes by information overload or stimulus 
overload on the operator. That is, the amount of information and the 
variety and complexity of the equipment available to the operator for 
taking action based on such extensive information, can exceed the 
operator's cognitive limits, resulting in errors. 

The most famous example of the inability of operators to 
assimilate and act correctly based on the tremendous volume of 
information stimuli in the control room, particularly during unexpected 
or unusual plant transients, is the accident that occurred in 197° at 
the Three Mile Island nuclear power plant. Since that event, the 
industry has focussed considerable attention to increasing plant 



2 



performance. A key aspect of that improvement process is 
the use of human engineering design principles* 

Advances in computer technology since 1978 have 
5 enabled nuclear engineers and control room designers to 
display more information, in a greater variety of ways, but 
this can be counterproductive, because part of the problem 
is the overload of information. Improving "user 
friendliness" while maintaining the quantity and type of 
10 information at the operator's disposal has posed a 
formidable engineering challenge. 

According to one aspect of the invention there is 
provided a data processing method as set out in claim 1 of 
the claims of this specification. The invention also 
15 provides an operating method for a power plant as claimed 
in claim 12. 

This application is divided from co-pending 
application 9400819.0, itself divided from co-pending 
application 9023718.1, which describe and claim similar 
20 subject matter. 



I„ one example, the plant eontrol system 
delude, si*, Mjor system U> ^ 

(dps j « *•*» avstem consisting of 

(MXS , Ml the component control system cons. * 

inT^ine-rad sa^rd action comport -ntrol. 
,ESFC) and the process component controls (PCO) , (5) 
Tenant protection ««. ^JSTS. 

inrormation to th. operator, perform .11 

£ uncc!ons and provid. for direct manual control of the 

plant components. 

The control complex in this e*ample 

provide, a top-down integrated information 
display and alarm approach that supports rapid 
Assessment of high level critical plant 
^ver production functions; provides guidance to the 
operator regarding the location of information to 
further diagnose high level assessments; and 
significantly reduces the number of ^^f^ 
relative to conventional nuclear control complexes. 
The complex also significantly reduces the amount of 
data the operator must process at any one time; 
significantly reduces the operational impact of display 
equipment failures; provides fixed locations for 
intent information; and eliminates 
equipment used only for off normal plant conditions 

It is known that the nuclear steam supply system 
can be Kept in a safe, stable state by maintaining « 
limited set of critical safety functions. We are 
able to extend the concept of the critical plant 



safety functions to include critical plant power 
production functions, in essence integrating the two 
functions so that the information presentation to the 
operator supports all high level critical plant 
functions necessary for power production as well as 
safety. 

The information display hierarchy in accordance 
with t*«.st- example includes a "big board" integrated 
process status overview screen (IPSO) at the apex, 
which provides a single dedicated location for rapid 
assessment of key information indicative of critical 
plant power production and safety functions. Further 
detail on the sources and trends of normal or abnormal 
parameter changes are provided by the DIAS. Both IPSO 
and the DIAS provide direct access and guidance to 
additional system and component status information 
contained on a hierarchy of CRT display pages which are 
driven by the OPS. 

The IPSO continually displays spatially dedicated 
information that provides the status of the plant's 
critical safety and power production functions. This 
information is presented using a small number of easily 
understood symbolic representations that are the 
results of highly processed data. This relieves the 
operator of the burden of correlating large quantities 
of individual parameter data, systems or component 
status, and alarms to ascertain the plant functional 
conditions. The IPSO presents the operator with high 
level effects of lower level component problems. The 
IPSO relies primarily on parameter trend direction, 
e.g., higher, lower, an alarm symbol color and shape, 
to convey key information. These are supplemented by 
values for selected parameters. The IPSO presents 



relatively small quantities of easily r 

understood information. 

Furthermore, the IPSO compensates for the 

Furtn ' fc . industry trends towards 

disadvantage inherent in recent > n * U *^ 

presenting all information seri £ Mfecl .. 
enabling the operator to obtain an 

two .daUicl operational oo„o.m«. ""£'^* mt " 

Rather than relying on multiple operators in the 
control room to monitor respective 
like on spatially separated panels, the IPSO can be 
viewed from anywhere in the control room and thus 
provides an operator a continuous indication of plant 
performance regardless of the detailed nature of the 
task that may be requiring the majority of his 

attCn in°^e preferred implementation, IPSO supports the 
assessment of the power and safety critical functions 
by providing for each function, key process parameters 
that indicate the functional status. For each 
function, key success paths are selected^ 
of that success path displayed. The IPSO clearly 
relates functions to physical things in the plant. The 
critical functions are applied to power production, 
normal post trip actions, and optimal functional 
recovery procedures. 



The second level in the display information 
hierarchy in accordance with this example is 
the presentation of plant alarms from the DIAS. A 
limited number of fixed, discrete tiles are used with 
three levels of alarm priorities. Dynamic alarm 
processing uses information about the plant state 
(e.g., reactor power, reactor trip, refueling, 
shut-down, etc.) and information about system and 
equipment status to eliminate unnecessary and redundant 
alarms that would otherwise contribute to operator 
information overload. The alarm system provides a 
supplementary level of easily understood cueing into 
further information in the discrete indicators, CRTs 
and controls. Alarms are based on validated data, so 
that the alarms identify real plant process problems, 
not instrumentation and control system failures. 

The alarm features include providing a detailed 
message through a window to the operator upon the 
acknowledgment of an alarm and the ability to group the 
alarms without losing the individual messages. The 
tiles can dynamically display different priorities to 
the operator. The acknowledgment sequence ensures that 
all alarms are acknowledged while at the same time 
reducing the operator task loading by providing 
momentary tones, then continuous alarm, followed by 
reminder tones to ensure that the alarms are not 
forgotten. The operator has the ability to stop 
temporarily alarm flashing to avoid visual overload, 
and resume the flashing to ensure that the alarm will 
eventually be acknowledged. 

The discrete indicators in the DIAS provide the 
third level of display in the hierarchy of this 
example. The flat panel displays compress many 



signal sources into a limited set of read-outs for 
frequently monitored key plant data. Signal validation 
and automatic selection of sensors with the most 
accurate signal ranges are also employed to reduce the 
number of control panel indicators. Information 
read-outs are by touch-screen to enhance operator 
interaction and include numeric parameter values, a bar 
form of analog display, and a plot trend. 

various multi-range indicators are available on 
one display with automatic sensor selection and range 
display. The automatic calculation of a valid process 
representation parameter value, with the availability 
of individual sensor readings at the same display, 
avoids the need for separate backup displays, or 
different displays for normal operation versus accident 
or post-accident operation. 

Moreover, in another preferred feature of the 
invention, the parameter verification automatically 
distinguishes failed or multiple failed sensors, while 
allowing continued operation and accident mitigation 
information to the operator even if the CRT display is 
not available. Furthermore, the normal display 
information can be correlated to a qualified sensor, 
such as that used for post-accident monitoring 
purposes. 

At the information display level associated with 
control of specific components, dynamic -soft* 
controllers are provided with component status and 
control signal information necessary for operator 
control of these components. For the ESFC system, this 
information includes status lamp, on-off controls, 
aodulation controls, open-closed controls, and logic 
controls. For the PCCS, the information includes 



confirm load, set points, operating range, process 
values, and control signal outputs. 

in the fourth level of the information hierarchy, 
dynamic CRT display pages are complementary to all 
levels of spatially dedicated control and information 
and can be accessed from any CRT location in the 
control room, technical support center, or agency 
operations facility. These displays are grouped into a 
three level hierarchy that includes general monitoring 
(level 1) , Plant component and systems control (level 
2), and component/process diagnostics (level 3). 
Display implementation is driven by the DPS and 
duplicates and verifies all discrete alarm and 
indicator processing performed in the DIAS. 

in the preferred implementation of the invention, 
the indicator, alarm, and control functions for a given 
major functional system of the plant are grouped 
together in a single, modularized panel. The panel can 
be made with cutouts that are spatially dedicated to 
each of the displays for the indicators, alarms, 
controls, and CRT, independent of the major plant 
functional system. This permits delivery, 
installation, and preliminary testing of the panels 
before finalization of the plant specific logic and 
algorithms, which can be software modified late in the 
plant construction schedule. This modularization is 
achievable because the space required on the panel is 
essentially independent of the major plant functional 
system to which the plant is dedicated. 

Both the alarms and indicators can be easily 
modified in software. The number of indicators and 
alarm tiles that can be displayed to the operator are 
not significantly limited by the available area of the 
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Figure 11 is a diagrammatic summary of the vork 
stations of the complex shown in Figure 1, categorized 
by first level display page set; 

Figure 12 is an illustration of the typical 
display page directory depicting display pages 
containing alarm information? 

Figure 13 is an illustration of the type of 
information provided on the CRT as alarm support after 
alarm acknowledgement; 

Figure 14 is an illustration of the categorized 
alarm listing available to the operator on the CRT; 

Figure 15 is a typical alarm tile grouping for the 
reactor coolant system/seal alarm tiles associated with 
the discrete indication and alarm system; 

Figure 16 is an illustration of the alarm tile 
display for the reactor coolant pumps, in which one 
tile has been actuated; 

Figure 17 is an illustration of the alarm display 
after acknowledgement of the actuated alarm of Figure 

Figure 18 is an illustration of the alarm display 
available upon the operator's touching the alarm status 
area of the display shown in Figure 17; 

Figure 19 is an illustration of the CRT display 
for the primary system; 

Figure 20 is an illustration of the CRT display 
for a second level page based on the first level page 
shown in Figure 19; 

Figure 21 is an illustration of a third level 
display page obtainable from the second level page 
shown in Figure 20; 

Figure 22 is an illustration and explanation of 
the display page menu option regions on the CRT 
displays; 
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Figure 23 is an illustration of a typical CRT 
display page depicting alarm tile representations; 

Figure 24 is a diagram showing the relationships 
of the CRT display page hierarchy; 

Figure 25 is an illustration depicting the 
integrated process status overview; 

Figure 26 is a diagrammatic description of the 
symbols used to convey trending information on the 
integrated process status overview; 

Figure 27 is a schematic representation of the 
integrated information presentation 

Figure 28 is a block diagram related to Figure 2, 
showing the relationships of the major systems 
constituting the control room complex 

Figure 29 is a block diagram showing the inputs 
and outputs associated with the discrete indicator and 

alarm system portion 

Figure 30 is a schematic representation of the use 
of validated sensor data for monitoring and control 

Figure 31 is a functional diagram of the 
engineered safety features system and the component 
control system with associated interfaces as preferably 
arranged 

Figure 32 is an illustration of a typical display 
page directory associated with the critical function 
monitoring available through the data processing system 

Figure 33 is an illustration of a first level 
critical function display page associated with the 
hierarchy shown in Figure 32; 
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3« i. •» Illustration of . first l.v.1 
eritloaWunotion display p.*. . «,ctor trip, 

Flgur. « 1. « mu.tr.tion of . typlo.1 ..oond 
lovoi cHtioal function display P.*- «.ool.t.d with 
th . control system, 

Figurs. «(.) .nd J.P» «. dla 9 ra»»atl= 
repr .s.nt.tion. "^^^U^.. and 

the use of modular panels, respectively; 

Plmire 37 is an illustration of a discrete 
i.didtr display for the hot and cold leg^mary loop 
temperatures, showing each sensor used in the 
validation algorithm; and^ preS surizer 

Figure 38 is a summary of the types or pr 
sensors^sed in determining 

the manner in which these are used to obtain the 
representative pressure value. 

The heart of the main control room 10 
(Figure 1 ) is a master control console 12 which 
allows one person to operate the nuclear steam 
supply (NSSS) from the hot standby to the full 
power condition. It should be appreciated that the 
control room, equipment and methods described 
herein, may be advantageously used with light 
water reactors, high temperature gas cooled 
reactors, liquid metal reactors and advanced 
passive light water reactors, but for present 
purposes, the description will proceed on the basis 
that the plant has a pressurized water NSSS. 



-13- 



F or such an HSSS, the -aster control console 12 
typically has five panels, one each for the reactor 
coolant system (KCS, 14, the chemical volume and 
Mntrol 6V6tcB (CVCS) 16, the nuclear reactor core 18, 
feed water and condenser system (^CS, 20 and the 
turbine system 22. As will he described mor, > fully 
b elow, the monitoring and control for each of these 
five plant systems, is accomplished at the respectxve 
panel in the master control console. 

Immediately overhead behind the core monitoring 
and control panel 18, is a large board or screen 24 for 
displaying the integrated process status overview 
(IPSO). Thus, the operator has five panels and the 
overhead IPSO board within easy view while sitting or 
standing in the center of the master control console 

" " to the left of the master control console is the 
safety related console 26, typically including modules 
associated with the safety monitoring, engineered 
safeguard features, cooling water, and similar 
funcSons. To the right of the master control console 
i» the auxiliary system console 28 containing modules 
associated with the secondary cycle, miliary power 
and diesel generator, the switch yard, and the heating 
and ventilation system. 

Preferably, the plant computer 30 and mass data 
storage devices 32 associated with the control room are 
located in distributed equipment rooms 31 to improve 
fire safety and sabotage protection. 

The control room complex 10 also has ** so " a * ed 
therewith, a shift supervisor's office 34, which has a 
complete view of the control room, an inte f ated 
technical support center (TSC) 36 and viewing gallery 
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outside the control area, and other offices 38 in which 
paper work associated with the operation of the plant 
may be performed. Similarly, desk, tables, and the 
like 40 are located on the control room floor for 
convenient use by the operators. A remote shut-down 
room 42 (Figure 2) is also available on site for 
post-accident monitoring purposes (PAH) . 

Figure 2 is a schematic of the information links 
between the plant components and sensors, which for 
present purposes are considered conventional, and the 
various panels in the main control room. It is evident 
from Figure 2 that information flows in both directions 
through the dashed line 46 representing the nuclear 
steam supply system and turbo generating system 
boundary. NSSS status and sensor information 48 that 
is used in the plant protection system 50 and the PAMS 
58, passes directly through the NSSS boundary 46. 
Control signals 52 from the power control system pass 
directly through the NSSS boundary. Other control 
system signals 60,62 from the engineered safeguard 
function component control system 56 and the normal 
process component control system 64, are interfaced 
through the NSSS boundary via remote multiplexors 6. 
Each of the plant protection system, ESF component 
control system, process component control system, power 
control system and PAMs, is linked to the main control 
room 42, to each other, to the data processing system 
(DPS) 70 and to the discrete indication and alarm 
system (DIAS) 72. 

Figure 2 illustrates one significant aspect of the 
present invention, namely, the integration of 
monitoring, control and protection information, during 
both normal and accident conditions, so that the 
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operator's task in determining an appropriate course of 
action is considerably simplified. The way in which this 
is accomplished will be described in the following 
sections. 

TT. Par ft 1 Overview 

Figures 3(a) and 3(b) are schematics of a sit/stand 
panel such as the reactor coolant system panel 14 from the 
master control console 12 in accordance with one embodiment 
of the invention. Figures 3(c) and 3(d) show an 
alternative embodiment for stand up only. The 
substantially flat upper portion or wall 74 of the panel is 
vertically oriented and the substantially flat lower or 
desk portion 76 is substantially horizontal, with the 
monitoring and alarm interfaces carried by the upper 
portion, and the control interfaces carried on the power 
portion . 

The alarm functionality (see Figures 9, 15-18) 
includes alarm and message (A & M) interface 78 having a 
multiplicity of tiles 80 each having a particular acronym 
or similar cue 81 associated therewith, whereby an alarm 
condition is indicated by the illumination of that tile and 
the generation of an accompanying audible signal. The 
operator is reguired to acknowledge the alarm by either 
pushing the tile or some other interface provided for that 
purpose. The number of tiles associated with a particular 
panel is dependent on the number of different alarm 
conditions that can arise with respect to the monitored 
system, e.g., the reactor coolant system. Typically, 
hundreds of such tiles are associated with each panel. The 
alarms are prioritized into three (3) alarm classes 
(Priority 1, Priority 2, and Priority 3, 
prompting immediate action, prompt action and 
cautionary awareness ) . This RCS panel alarms 
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are equipment status and mode dependent (Normal RCS, 
Heatup/Cooldown, Cold Shutdovn/Re fueling and Post 
Trip). When a high priority alarm actuates 
coincidentally with a low priority alarm on the same 
parameter, the lower priority alarm is automatically 
cleared. On improving conditions, the higher priority 
alarm will flash and sound a reset tone. The operator 
will acknowledge that the higher priority alarm has 
cleared. If the lower priority alarm still exists, its 
alarm window or indicator will turn on in the 
acknowledged state after the operator acknowledges that 
the higher priority alarm has cleared. 

The second monitoring interface are the process 
variable indicators, for example reactor coolant hot and 
cold leg temperatures, pressurizer level and pressure, and 
other RCS parameters. Discrete indicators 82 (see also 
Figures 7 and 8) provide an improved method of presenting 
the RCS panel parameters. Some RCS panel parameters require 
continuous validated display and trending on the master 
control console. Plant process and category 1 parameters 
like pressurizer level and RCS cold leg temperature fall 
into this category. Other RCS panel parameters are used 
less frequently. The discrete indicators 82 provide 
indication on parameters needed for operation when the Data 
Processing System (CRT information displays) is 
unavailable. These include Regulatory Guide 1.97 category 1 
and 2 parameters, parameters associated with priority 1 or 
priority 2 alarms, other parameters needed for operation 
due to inaccessibility of local gauges and parameters that 
the operator must view for surveillance when the Data 
Processing System is unavailable for a period of up to 
twenty-four (24) hours. These less frequently viewed 
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parameters would be available on discrete indicators, 
with a menu available by operator selection. The menu 
would show alphanumeric listings of available data 
points. Lastly, parameters displayed on process 
controllers need not be available on discrete 
indicators. 

Additionally, a CRT display 84 generates an image 
of the major vessels, pipes, pumps, valves and the like 
associated with, e.g., the reactor coolant system and 
displays the alarms and values of the parameters which 
may be shown in bar, graph, trend line or other form on 
the other displays 78,82 (see Figures 4-6, 10. 12-14 
and 19-23) . From this CRT, the operator has access to 
all NSSS information. The information is presented u a 
three level structured hierarchy that is consistent with 
the operator's system visualization. Figure 4 illustrates 
the NSSS primary side page directory 84, which contains all 
CRT pages related to the functions of the RCS panel. 

in the control portion 76 of the panel 14, a plurality 
of discrete, on-off switches 86 are provided at the left, 
for example, each switch pattern being associated with a 
particular reactor cooling pump whose operating parameters 
are displayed immediately above it, and analog control 
interfaces which can be in the form of conventional dials 
or the like (not shown), or touch screen, discrete control 
as indicated at 88. 

Process controllers are provided on the RCS panel to 
provide the operator with the ability to automatically or 
manually control process control loops. The process 
controllers allow control of throttling or variable 
position devices (such as electro-pneumatic valves) from a 
single control panel 
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device. Process controllers are used for closed loop 
control of the following RCS panel process variables: 
pressure level, pressurizer pressure, RCP Seal 
injection Flow and RCP Seal Injection Temperature, 
process controllers are designed for each specific 
control loop utilizing a consistent set of display 
and control features. 

in a conventional control room, each process 
control loop has its own control device, usually 
referred to as a MANUAL/AUTO Station. For example, the 
RCP seal injection Sub-System has five process control 
loops, a seal injection flow control loop for each of 
the four RCPs and a seal injection temperature control 
loop for the entire sub-system. These five control 
loops each have their own HANUAVAUTO station which 
occupy a large amount of control panel space and make 
cross loop comparisons cumbersome. Although these five 
process loops are controlled independently, process 
variations in one controlled parameter affect the other 
four process parameters. Conventional MANUAL/AUTO 
stations make it difficult for the operator to 
simultaneously interact with the five MANUAL/ AUTO 
stations. 

The RCS panel process controllers for similar 
processes (related by function or system) are operated 
from a single control station, called a process 
controller. This single control station saves panel 
space, accommodates convenient cross channel checking 
and allows easier control loop interaction for multiple 
related controls. - 

Component control features (i.e., actuation of 
switches controls) provide the primary method by which 
the operator actuates equipment and systems on the RCS 
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panel. The RCS panel has forty-three components 
controlled from momentary type switches. Each switch 
contains a red status indicator for active or open and 
a green status indicator for inactive or closed. Blue 
status indicator lights/switches are used to indicate 
and select automatic control or control via a process 
controller. In addition to color coding, the red 
switch is always located above the green switch to 
reinforce color distinction. Each switch generates an 
active control signal when depressed and is inactive 
when released. Each switch is backlit to indicate 
equipment status/position. 

Process display formats use standard information 
placement for similar processes and equipment. Fluid 
system piping representations are where possible 
standardized, top to bottom, left to right, with 
avoidance of crossovers. Incoming and outgoing flow 
path connections are placed at the margins. Related 
data are grouped by task and analysis specifications for 
comparison, sequence of use, function, and frequency. 
Process representations/layout' are based on the 
operator's process visualization to maximize the 
efficiency of his data gathering tasks. The operator's 
visualization of a system is often based on diagrams 
used with learning materials and plant design 
documentation associated with system descriptions* 

Graphic information is presented on display page 
formats to aid in rapid operator comprehension of 
processes. Graphic information includes the use of bar 
graphs, flow charts, trends, and other plots, (e.g., 
Temp. vs. Press.) • 

Bar graphs are primarily used to represent flows , 
pressures and levels. Since level corresponds to a 
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tank, the bar graph is placed with consistent spatial 
orientation with respect to the tank symbol. Level bar 
graphs are oriented vertically. Flow bar graphs when 
used are oriented horizontally. Bar graphs are also 
helpful for comparison of numeric quantities. 

Flowcharts are used when they aid in the 
operator's process visualization. Flowcharts are 
helpful for understanding control system processes such 
as the Turbine Control system. Operator's learning 
materials for process control systems are frequently in 
a flowchart format , and thus a similar format on a 
display page is easy to comprehend. 

Trends are used on display page formats when task 
analysis indicates that the operator should be informed 
about parameter changes over time. Additionally , the 
operator is able to establish trends of any data base 
points in the plant computers data base. In some 
situations, task analysis may indicate that more than 
one trend is important to monitor process comparisons. 
In other situations such as heatup/cooldown curves, two 
parameters may be placed on the different ordinate axis 
of a graph. 

When more than one trend curve occupies the same 
coordinate axes, two ordinate vertical axes can be used 
for parameters that have different units. Scale labels 
are divisible by 1, 2, 5 or 10. Tick marks between scale 
labels are also divisible by 1, 2, 5 or 10. Trended 
information is typically presented on display pages 
with a scale of 30 minutes. However, the operator is 
able to adjust the- scale to suit his needs. 
Logarithmic axes may be established using multiples of 
10. If full range is less than 10, an intermediate 
range label is located to fall near the middle of the 
scale. 
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Different colors are used for trends occupying the 
same coordinates. When multiple curves use a common 
scale, the scale is gray and the curves are color 
coded. When multiple ordinate scales are used, they 
are color coded in correspondence to the curve. The 
colors used for trends will not include the alarm color 
or normal status color to avoid associating process 
parameter with normal or alarm conditions. 

Color is used to aid the operator in rapidly 
discriminating between different types of information. 
Since the benefits of color coding are more pronounced 
with fewer colors, coding on informational displays 
(i.e., IPSO, CRTs, alarm tiles) is limited to seven 
colors, in addition, color coded information has other 
representational characteristics to aid in 
discrimination of data and discrimination by color 
deficient observers. 

The following colors are used in the information 
display to represent the following types of 
information. The colors used have been carefully 
selected to yield satisfactory contrast for red-green 
deficient color observers. 

Tft-lor Re p r A S i>ntaH«r« Characteristics 



Black 


Background color. 


Green 


Component Off /Inactive, Valve 
Closed and Operable. 


Red 


component On/Activated, Valve Open 
and Operable. 


Yellow 


Alarm status-Good attention-getting 
• color. 


Grey 


Text, labels, dividing lines, menu 
options, piping, inoperable and 
non- instrumented valves, graph 
grids, and other applications not 
covered by other coding 
conventions. 
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Light Blue Process parameter values . 

White system's response to operator 

touch, e.g., menu selection until 
appropriate system response occurs. 

Shape coding is used in the information system to 
aid the operator to identifying component type, 
operational status, and alarm status. Component shape 
coding is based on symbology studies which included 
shape coding questionnaires given to nuclear power 
plant personnel. Figs. 5 and 6 show the shapes used to 
represent components in the control room. An attribute 
of shape, hollow/solid, is reflective of the status of 
the component. Hollow shape coding indicates that the 
component is active, whereas solid shape coding is used 
to represent inactive components. An example of shape 
coding for a pump and valve is described as follows. 
Pu W p A hollow pump indicates that the pump has 

been activated by the operator ot automatic 
control signal. A solid pump indicates 
that the pump has been deactivated by the 
operator or automatic control signal. 
valve A hollow valve indicates that the valve is 

fully open and a solid valve indicates that 
the valve is fully closed. A valve not 
fully open or closed has a mixed 
solid/hollow shape, i.e., left side 
solid/right ride hollow. 
Information coding on valves is provided by these 
additional characteristics/representations : 
Valve Open and Operable - Red Color Coding. 
Valve Closed and Operable - Green Color Coding. 
Non-Instrumented Valve - Grey Color Coding (Position is 

Operator Inputted) . 



Valve Not operable - Grey Color Coding with Alarm 

Coding 

Loss of Indication - Grey Color Coding with Alarm 

Coding and mixed hollow/solid 
shape. 

information associated with safety related 
concerns is integrated as a part of the control room 
information to allow the operator to use safety related 
information, where possible, during normal operation. 
This is a better design from a human factors view than 
that of previous control rooms because in stressful 
situations, people tend to use information that they 
are most familiar with. 

In many situations, safety related parameters are 
only a subset of the parameters that monitor a 
particular process variable. Operators of present 
control room designs typically use control or narrow 
range indications during process control and should use 
separate safety related indications when monitoring 
plant safety concerns. In this invention, the 
parameters typically used for monitoring and control 
are validated for accuracy against the safety related 
parameter (s), where available. If a parameter deviates 
beyond expected values from the associated safety 
related information, a validation alarm is presented to 
the operator. In response to an alarm condition, the 
operator can review the individual channels associated 
with the parameter on either a diagnostic CRT page or 
the discrete indicator displaying that parameter. At 
this time, he can select the most appropriate sensor 
for display. The operator is informed when the 
validation algorithm is able to validate the data. The 
resultant output of the validation algorithms are used 
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on IPSO, the normally displayed format of a discrete 
indicator, and the higher level display pages on the 
CRT display system that contain the parameter. The 
Regulatory Guide 1.97 category 1 information is also 
displayed, by discrete indication display, at a single 
location on the safety monitoring panel. 

Critical Function and Success Path (availability and 
performance) information is accessible throughout the 
information hierarchy (see Figures 10, 24, 25, 26, 27, 
32-35). Alarms provide guidance to unexpected deviation in 
critical functions as well as success path 
unavailability or performance problems. Priority l 
alarme alert the operator to the inability to maintain 
a critical function as well as the inability of a 
success path to meet minimum functional requirements. 
Lower priority alarms provide subsystem/train and 
component unavailability or poor performance. 

IPSO provides overview information that is most 
useful for operator assessment of the Critical 
Functions. Priority 1 alarms associated with the 
Critical Functions or Success Paths supporting the 
critical function are presented on IPSO critical 
function matrix. Supporting information relating to 
these alarm conditions is available by using the alarm 
tiles or the critical function section of the CRT 
display page hiearchy. 

The critical function section of the display page 
hierarchy contains the following information: 
Level l Display Page - -Critical Functions: this page 
provides more detail on the critical function matrix 
presented on IPSO. Specifically, more detail on alarm 
conditions (descriptor, priority) . This will help 
guide the operator to the appropriate level two 
critical function display page. 
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A 2nd level page exists for each of the 12 
critical functions. Each page contains: 

The critical function information provided 
on the 1st level display page that is 
associated with the critical function. 
Information related to success path 
availability and performance of the success 
paths that can support that critical 
function. 

High level information presented using a 

mimic format with the critical 

function/success path related information. 

A time trend of the most representative 

critical function parameter. 
The 3rd level display pages in the critical 
function hierarchy are a duplicate of display page 
existing elsewhere in the hierarchy. For example, a 
safety injection display page display page under 
Inventory Control also exists within the primary 
section of the display page hierarchy. 

A. Discrete Tn,n mfTrfT 

The discrete indicators 82 provide an improved method 
of presenting safety related parameters. Major process 
parameters such as Regulatory Guide 1.97 Category 1 
require continuous validated display and trending^ ' 
the master control console. The discrete indicators 
also provide indication and alarms on parameters needed 
for operation when the Data Processing System (DPS) is 
unavailable. These include Regulatory Guide 1.97 

w^r^ ^ 2 3 paraBet *«' Parameters associated 
with priority 1 or priority 2 alarms, and other 
surveillance related parameters. Though the DPS is a 
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highly reliable and redundant computer system, its 
unavailability is considered for a period of up to 
twenty- four hours. The less frequently viewed 
parameters are avail able on discrete indicators, with a 
menu available by operator selection. 

Each discrete indicator has the capability to 
present a number of parameters associated with a 
component, system, or process. The discrete indicators 
present various display formats that are based on 
fulfilling certain operator information requirements. 

When monitoring or controlling a process such as 
pressurizer pressure it is 
desirable that the operator use a "process 
representation" value in the most accurate range. For 
this type of information, the discrete indicator 82 such as 
is shown in Figures 7 and 8 presents a bold digital value 
90 in field 92 and an analog bar graph 94 of the validated 
average of the sensors in the most accurate range. The 
preferred validation technique is described in the 
Appendix, and validated status is indicated in field 96. 
This validated data is checked against post-accident 
monitoring indication (PAMI) sensors when applicable. When 
in agreement with the PAMI as shown at field 98, the 
indicator may be used for post-accident monitoring. This 
has the advantage of continuing to allow the operator to 
utilize the indicator he is most familiar with and uses on 
a day-to-day basis. The operator, upon demand, can display 
any individual channel on the discrete indicator digital 
display by touching a sensor identification such as 102. 
The use of validated parameters is a benefit to operators 
by reducing their stimulus overload and task loading 
resulting from presentation of multiple sensor channels 
representing a single parameter. 

When the parameter cannot be validated, the discrete 
indicator displays the sensor reading that is closest to 
the last validated value. A validation 
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6. RCS 

7. T hot 

8. T cold 

9. Pressurizer Pressure 
10. Pressurizer Level 

Figure 7 illustrates that two related discrete 
indicators can be shown on a single display 82. On the 
left side of the display 82 validated pressurizer pressure 
is shown whereas at the right , pressurizer level is shown. 
The pressure display includes the following: digital 
"process representation" value 90 with units of measurement 
(2254 psig), quality 96 of the display (VALID), indication 
98 that the display is acceptable for post accident 
monitoring (PAMI), bar chart 94 with the process value, a 
30 minute trend 104, normal operating range (NORMAL) 106, 
instrument range (1500-2500) and units of measurement for 
the bar chart (psig) . 

In the upper right hand corner of the PRESS display, 
there are two buttons, "CRT" and "MENU". When touched, the 
selected button backlights, indicating selection. When the 
operator removes his hand, the actual selection is 
processed. The "CRT" 84 button changes the CRT menu 
options on the CRT located at the same panel as the 
discrete indicator where the button is pushed, e.g. RCS 
panel 14 as shown in Figure 3. This "CRT" option 
identifies the CRT pages most closely associated with the 
parameters on the discrete indicator. 

The "MENU" button selects the discrete indicator menu 
(Figure 8). The upper section of the menu page is nearly 
identical to the normal display. It contains the digital 
"process representation" value 90 with units of measurement 
(2254 psig), quality of display (VALID), indication that 
the display is acceptable for post accident monitoring 
(PAMI), CRT and MENU buttons. 
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The lower section of the menu page contains selector 
buttons, such as 102, for all sensor inputs and "calculated 
signals" of this discrete indicator. The selector buttons 
102 backlight when touched, indicating selection. When the 
operator removes his finger, the actual processing of the 
selection takes place. There are 13 buttons for pressure: 
four for 0-1600 psig pressurizer pressure: P-103, P-104, 
P-105 and P-106; six for 1500-2500 psig pressure: P-101A, 
P-101B, P-101C, P-101D, P-100X and P-100Y; two for 0-4000 
psig RCS pressure: P-190A and P-190B; and one for the 
"calculated signal" pressure: CALC PRESS. When selected, 
the CALC PRESS button displays the "calculated signal" 
(i.e., the output of the algorithm). The "calculated 
signal" of the algorithm can be a "valid" signal. If the 
algorithm were to fail and select an individual sensor for 
the "calculated signal", the "valid" message would be 
replaced by the message "fault select" . This message 
"fault select" would be displayed in reverse image on the 
discrete indicator. This message would be displayed on the 
discrete indicator any time "CALC PRESS" is selected until 
the algorithm outputs a "VALID" signal to replace the 
"FAULT SELECT" sensor. 

To change the display, the operator would touch the 
button containing the sensor he wished to view. For 
example: by touching the button marked "P-103", the 
digital display would display the output from the 0-1600 
psig range sensor P-103. The message "VALID" below the 
digital value would be replaced by the message "P-103". 
Additionally, the "PAMI" message would be removed because 
P-103 is not a PAMI sensor. 
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The button w ANAL/ ALARM OPER SEL" selects the 
signal used for the -process representation- in DIAS. 
It selects whatever sensor is displayed on the digital 
display. The signal select button gives the operator 
the option to -operator select- any of the sensors for 
analog display and alarm processing when a fault 
exists, such as: 

1. When validation fails and a "FAULT SELECT" sensor 
is selected for the "process representation-. 

2. When the -Valid- output does not correlate to the 
PAMI sensor (s) . 

If a fault were present and the operator elected to 
select P-103 for the "process representation", he would 
select the menu, select P-103 for display and then touch 
the " ANAL /ALARM OPER SEL" button. The message in field 96 
below the digital display would read "P-103 OP SEL" in 
reverse image. Any time P-103 was selected for display, it 
would have the message "OP SEL" displayed in reverse image, 
indicating that the output from P-103 is being used for the 
"process representation". After selecting an "operator 
select" sensor for the "process representation", it is 
expected that the operator will depress the button marked 
"ANALOG DISPLAY" . This would return to the analog 94 and 
trend display 104 (Figure 7) for the operator selected 
sensor with the message "OP SEL" in reverse image. 

The " ANAL /ALARM OPER SEL" button is not normally 
displayed on the discrete indicator menu page; it 
automatically displays when the "operator select 
permissive" is enabled after a fault. The "ANAL/ALARM OPER 
SEL" button is removed from the menu page when the 
"operator select permissive" is disabled after all faults 
are corrected. 
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The button "ANALOG DISPLAY" removes the menu page and 
for whatever sensor or "calculated signal" is currently 
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sensors (if present) . If this second deviation check 
is satisfactory, the "process representation" is 
displayed with the message "Valid PAMI" (Post-Accident 
Monitoring Indication) , indicating that this signal is 
suitable for monitoring during emergency conditions, 
since it is in agreement with the value as determined 
by the PAMI sensors. As long as agreement exists, this 
indicator may then be utilized for post-accident 
monitoring rather than utilizing the dedicated PAMI 
indicator. This provides a Human Factors Engineering 
advantage of alliowing the oerator to use the indicator 
he normally uses for any day-to-day work and which he 
is most familiar with. 

The validation process, as described, reduces the 
time an operator takes to perform the tasks related to 
key process related parameters. To insure timely 
information, all validated outputs are recalculated at 
least once every two seconds. Additionally, redundancy 
and hardware diversity are provided in the calculating 
devices insuring reliability. 

The following section describes the algorithm and 
display processing on the DIAS and CRT displays. 

1. The "process representation" is always 
displayed on the applicable DIAS display and/or 
CRT page(s) where a single "process 
representation" is needed as opposed to multiple 
sensor values. Each plant process parameter 

is evaluated individually to determine the type of 
display required and location (DIAS and CRT or CRT 
only) . 

2. The "process representation" is always a "valid" 
value unless there is a: 
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a. "Fault Select" value or 

b. "Operator Select 1 * value* 
Both of these are explained below. 

The "process representation" is always used for 
alarm calculations and trending (where a single 
value is normally trended) . This can be "valid" 
"fault select 11 or "operator select" data, 
depending on the results of the algorithm 
calculations as described below. 

Using a menu on DIAS or the CRT, the operator may 
view any of the values (A,B,C,D or calculated 
output) without changing the "process 
representation 91 . 

A "Fault Select" value will be displayed 
automatically as the "process representation" when 
the validation algorithm is unable to yield 
"valid" data. The "fault select" value is the 
output of the sensor closest to the last "valid" 
signal at the time validation initially failed. 
On DIAS (if applicable), this information will be 
labeled "fault select". On the CRT(s) graphic 
pages, this information is preceded by an 
asterisk^) to indicate suspect data. 

The "fault select" "process 
representation" is automatically returned to a 
"valid" process representation" when the 
validation algorithm is able to calculate "valid" 
data. 

An "operator select" sensor may be selected for 
the "process representation" only when there is a: 

a. "Validation Fault" or 

b. "PAMI Fault". 
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The "operator select" "process representation" 
will replace the "valid" or "fault select" 
"process representation". On DIAS (if 
applicable), this information will be labeled 
"operator select". On the CRT(s) , this 
information will be preceded by an asterisk (*) on 
graphic displays and labelled "operator select" in 
the data base. The "operator select" "process 
representation" is automatically replaced by the 
calculated "valid" signal when both the 
"Validation Fault" and the "PAMI Fault" 
clear. 

It should be appreciated that the discrete 
validation is accomplished using a generic algorithm 
that is applicable to different parameters, in this 
manner, the operators understand how the validated 
reading has been determined for every parameter and, 
again, this reinforces their confidence. This 
algorithm always has an output and allows the operator 
selection for display when validation is not possible. 
The discrete indicators continuously display all vital 
information yet allow easy access via a function or 
organized menu system to enable the operator to access 
less frequently needed information. There is no need 
for separate backup displays, since the backups are 
integrated in the subsidiary levels of retrieval. Such 
displays vastly reduce the amount of Indicator 
locations required on the panel and yet provide all 
vital indication in a easy to use format, thereby 
reducing stimulus overload. 

The Appendix in conjunction with Figures 37 and 38 
provide additional details on the preferred 
implementation of the algorithm. 



/ 
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C« Alarm Processing and Display; 

Another feature of the monitoring associated with 
each panel, is the reduction of the numer of alarms 
that are generated , in order to minimize the operator 
information overload. Cross channel signal validation 
is accomplished prior to alarm generation, and the 
alarm logic and set points are contingent on the 
applicable plant mode* 

The alarms are displayed with distinct visual 
cueing in accordance with the priority of the required 
operator response* For example, priority 1 dictates 
immediate action, priority 2 dictates prompt action, 
priority 3 is cautionary, and priority 4, or operator 
aid, is merely status information. 

The types of alarm conditions that exist within 
each category are described belov: 

Priority 1 

1. Conditions that may cause a trip in less than 
10 minutes. 

2. Conditions that may cause major equipment 
damage. 

3 • Personnel/Radiation hazard . 

4. critical Safety Function violation. 

5. Immediate Technical Specification Action 
Required. 

6. First-Out Reactor/Turbine Trip. 
Priority 2 

1. Conditions that may cause a trip in greater 
than 10 minutes. 

2. Technical specification action items that are 
not Priority 1. 

3. Possible equipment damage. 



Priority 3 

1. Sensor deviations. 

2. Equipment status deviations. 

3. Equipment /process deviations not critical to 
operation . 



The alarms are displayed using techniques that 
help the operator quickly correlate the impact of the 
alarm on plant safety or performance. These techniques 
include grouping of displays which highlight the nature 
of the problem rather than the symptom denoted by the 
specific alarm condition. Another is the fixed spatial 
dedication of alarm displays allowing pattern 
recognition. Another is the plant level pictorial 
overview display on the IPSO board which shows success 
paths and critical functions impacted by the priority 1 
alarms. 

To insure that all alarms are recognized by the 
operator without task overload, all alarms can be 
either individually acknowledged, or acknowledged in 
small functionally related groups. All alarms can be 
acknowledged at any control panel. Momentary audible 
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alerts for alarm state changes require no operator 
action to silence* Periodic momentary audible 
reminders are provided for unacknowledged conditions. 
The operator can effectuate a global alarm stop flash 
which will automatically resume in time, to allow for 
deferred acknowledgement. 

In addition to alarms, an information notification 
category "Operator Aids" has been established for 
information that may be helpful for operations but is 
not representative of deviations from abnormal 
conditions. Conditions classified as "Operator Aids" 
include: channel bypass conditions, approach to 
interlocks and equipment status change permissive. 

Some parameters have more than one alarm on the 
same parameter (i.e., Seal Inlet Temperature Hi Hi and 
Hi). To limit the operator's required response, the 
lower priority is automatically cleared without a reset 
tone or slow flash rate when the higher priority alarm 
actuates after actuation of the lower priority alarm. 
The Hi Hi alarm will be acknoweldged by the operator; 
therefore, the operator acknowledgement of the cleared 
lower priority alarm is unnecessary. When the 
condition improves to the point where the higher 
priority alarm clears, the condition will sound a reset 
tone and the alarm window will flash slowly. The 
operator will acknowledge that the higher priority 
alarm has cleared. If the lower priority alarm 
condition still exists, its alarm tile or indicator 
will turn on in the acknowledged state after the 
operator acknowledges that the higher priority alarm 
has cleared. If the condition improves such that it 
clears both the high and low priority alarms before 
operator acknowledgement, then operator acknowledgement 



-38- 



of the cleared high priority alarm will also clear the 
lower priority condition. 

1. Mode and Equipment -- Dependency 

X key feature of the alarm system is its mode 
dependent and equipment status dependent logic. These 
features combine to greatly reduce the number of alarms 
received during significant events and limit those 
alarms to conditions that actually represent process or 
conditions that actually represent process or component 
deviations pertinent to the current plant state. Mode 
and equipment dependency is implemented both through 
alarm logic changes and setpoint changes. An alarm of 
mode dependency is the reduction in the low pressurxzer 
alarm setpoint to avoid a nuisance alarm on a normal 
reactor ring. Equipment dependent logic is used to 
actuate a low flow alarm only when an upstream pump is 
supposed to be operating. 

Four modes have been selected which correspond to 
significant changes in the alarm logic based on the 
plant state. These modes are: 

1. Normal operation 

2. Hea tup/cool down. 

3. Cold shutdown/refueling. 

4. Post-trip. 

The alarm modes are manually entered by the 
operator with the exception of the post-trip mode. 
Upon a reactor trip, the alarm logic automatically 
switches to the post-trip mode with no operator action 
required. All equipment dependent alarm features are 
actuated automatically without operator action. 

2. Subf unction Grouping 

The RCS panel .has over 200 conditions that can 
cause an alarm. To reduce the operator's stimulus 
overload due to the quantity of alarms and improve his 
alarm comprehension, many alarms are grouped into 
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subfunctional groups 108, 110, 112 (Figure 15). The 
subf unctional group alarm tiles have a variety of related 
subf unctional group alarm messages that are read on the 
panel alarm message window 114 (adjacent to the alarm tile) 
or CRT. In cases where key process related parameters are 
alarmed, there is a single alarm message for each alarm 
tile (i.e., RCS Pressure Low). This single alarm message 
allows the operator to quickly identify the specific 
process related problem. 

As shown in Figure 16, some alarms are grouped by 
similar component rather than process function, and are 
augmented by a message such v as 116. 

As shown in Figure 9, each alarm tile can be in one of 
the following states: 

1. Unacknowledged Alarm - If there is an unacknowledged 
alarm associated with an alarm tile, the alarm 

tile will flash at a fast rate (i.e., 4 times/sec 
using a 50/50 duty cycle as depicted by the long 
rays in Figure 9). This condition takes 
precedence over all other alarm tile states for 
group alarms. 

2. Cleared Alarm/Return to Normal (Reset Alarm) - When an 
alarm condition clears, the corresponding alarm 

tile flashes at a slow rate (i.e., 1 time/sec 
using a 50/50 duty cycle as depicted in the short 
rays in Figure 9) until this condition has been 
acknowledged. This condition takes precedence 
over the remaining two states for grouped alarms. 

3. Alarm - If an alarm condition exists and alarm states 
1 and 2 above do not exist, then the alarm tile 

is lit without flashing (as depicted by the 
absence of rays in Figure 9). 

4. No Alarm - If there is no alarm condition associated 
with an annunciator tile, then the alarm tile is 
not lit (not depicted in Figure 9). To indicate 
that the alarm tile's bulb is functioning, a lamp 
test feature is provided. 



-40- 



3. Shape and Color Coding 

Non-cleared alarm information is identified by a 
unique tile color, in this case yellow 118. Grey color 
coding is used for the tile color 122 for Return to Normal 
conditions. The parameter/component descriptor or concise 
message 120 within the tube is shown in blue. This single 
bright color is used for alarm information to maximize the 
attention-getting quality of this information. Shape coding 
is used to identify alarm priority, i.e., 1, 2 or 3. The 
shape coding used for identifying alarm priorities uses 
representational features of decreasing levels of salience. 
Shape coding of alarm priorities also allows retention of 
priority information for Return to Normal conditions. 

For priority 1 alarms, the alarm tiles, mimic diagram 
components, symbols, process parameters, and menu option 
fields have their descriptor presented in reverse image 
(i.e., blue letters 120 on a yellow 118 solid rectangular 
background 124) using the alarm color coding. The 
descriptor is presented in blue to provide good contrast 
for readability. In addition, the alarm tiles and menu 
option fields on the CRT use the same representation. 

For priority 2 alarms, the alarm tiles, mimic diagram 
parameters, components, menu options, and symbols have a 
thin (1 line) box 126 using the yellow alarm color code 118 
around their descriptor, which is blue. 

For priority 3 alarms, the alarm tiles, mimic diagram 
parameters, components, menu options, and symbols have 
brackets 128 around their descriptors 120. For all alarms, 
English Descriptors on the CRT's message line are also 
represented with the alarm representation formats when they 
are in alarm. 
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4. Alarms on CRT 

Each CRT page in the data processing system provides 
the operator with an overview of the existence of any 
unacknowledged alarm conditions and a general overview of 
where they exist within the plant. The standard menu 
provided with each display page contains the IPSO and all 
first level display pages as menu options (see Figure 10 
menu region 130). These menu option fields provide the 
existence of unacknowledged alarms in their sector of the 
display page hierarchy and their alarm status /priority by 
using the alarm highlighting feature as described above. 
If an alarm tile (i.e., in the DIAS) is in alarm, a first 
level display menu option field, such as 132, in the menu 
options 130 shows that an alarm condition exists in an 
associated area of the display page hierarchy. The alarm 
tiles in menu 130 are categorized into the first level 
display page set corresponding to the console groupings or 
by critical function, as shown in Figure 11. 

In addition to alarm information represented on the 
first level display page menu options, the following 
display page features are also used to represent the 
existence of alarms. 

Display page menu options 134 that provide access to 
levels 2 and 3 display pages are lit with the above 
described alarm representation if information on the 
corresponding page is in alarm (e.g., if an unacknowledged 
alarm exists, the display page menu option is highlighted 
to show the highest priority unacknowledged condition) . 

The operator can by selecting option 136, call up a 
level 2 display page directory containing a pictorial 
diagram of the level 3 display pages in a hierarchical 
format associated with a first level display page (see 
Figures 12 and 15). Each of the level 2 and 3 display 
pages represented on this diagram provide alarm 
notification if information on that display page 
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is in an unacknowledged alarm state. This alarm 
information is most useful for determining where alarms 
exist within an area of the display page hierarchy. For 
example, the operator would be notified by the display page 
menu 130 (Figure 10) that an unacknowledged alarm(s) exists 
in the auxiliary systems by grey alarm shape coding (return 
to normal) and slow flashing of alarm coding on the PRI 
menu option field. He can then access that 
directory /hierarchy to see what page(s) contains alarm 
information by touching the menu option "DIRECTORY" 136 
followed by PRI. When the Primary display directory comes 
up (Figure 12), the field(s) representing the display 
page(s) that contains the alarm condition(s) (such as PZR 
LEVEL 138) will be highlighted. The desired page that 
contains the alarm information (similar to Figure 15) is 
accessed by touching the flashing field. 

The descriptors of components and plant data on the 
process display pages of the CRT (Figure 13) are alarm 
coded and flashed to provide indication of alarms and their 
acknowledgement status. A component's descriptor can 
provide this alarm information if a parameter associated 
with the component is in alarm. This is true even if the 
parameter in alarm is not represented on the display pages, 
e.g./ low pump lube oil pressure is represented by alarm 
coding of the associated component's symbol. To view the 
exact information that is in alarm, the operator can access 
a lower level display page, or use the alarm system 
features that are described later. 

5. Determining Alarm Conditions an d Acknowledging Alarms 

With reference again to Figure 16, each category 1 and 
2 alarm annunciator tile in the DIAS may notify the 
operator of more than one possible alarm condition. To 
quickly determine the actual alarm condition, a message 
window 114 is provided in the display 
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area 78 on the panel. By depressing an unacknowledged 
alarming annunciator tile f such as 134^an English 
description 116 of the specific alarm condition is provided 
on the message window 114. The alarm tile 134 remains 
flashing until all alarm conditions associated with the 
alarm tile have been acknowledged. The English descriptors 
of additional alarms can be accessed by redepressing the 
alarm tile 134. 

At the same time that a message appears on the message 
window of a DIAS alarm display 78, an alarm message is 
presented on another field 132 at the bottom of the display 
page 84 on the panel CRT (see Figure 13). The CRT alarm 
message contains the following information: Time, 
Priority, Severity (e.g., Hi, Hi-Hi), Descriptor, Setpoint, 
and real time process value (coded as described to' show the 
alarm priority and alarm condition). If additional 
unacknowledged alarms exist that are associated with the 
tile, the number of additional unacknowledged ala-ms is 
specified within a circle 136 at the right hand side of the 
message area (see Figure 13). 

In addition to this alarm message, menu options/fields 
appear on the display page menu (Region 4) and provide 
direct access to the display pages that can be used to 
obtain supporting or diagnostic information of the alarm 
condition. The display regions are shown in Figure 22. The 
alarm tiles that are in alarm on the DIAS display 78 of a 
given panel can be accessed and acknowledged on any CRT 
panel by procedure similar to accessing and acknowledging 
the alarms via the alarm tiles. By selecting the "Alarm 
Tiles" menu option followed by an alarming display page 
menu option, (i.e., first level display page set (region 
3), the alarm tiles that are in alarm, that are associated 
with the display page, are provided in region 4 of the 
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display page menu. One tile is depicted and is a 
touch target that provides access to other tiles. The 
operator acknowledges and reviews these CRT alarm tiles 
by touch and obtains alarm messages and supporting 
display page touch targets in the same format as 
described above. This 

means of responding to alarming alarm tiles is most 
useful for responding to alarms at workstations that 
are remote to the operator's location. 

All alarm conditions associated with an 
annunciator tile ± n the DIAS display are held in a 
buffer. The buffer containing alarm conditions is 
arranged in the following format: 

1- First-In Unacknowledged 

2. 



H Last-In Unacknowledged 

N+1 First-In Cleared/Return to Normal 

N+2 



n n Last-In Cleared/Return to Normal 

n+* Acknowledged Alarms 

n+2 . ' 



Depressing an alarm tile provides access to the alarm 
condition that is at the top of the buffer. 

Acknowledging unacknowledged alarms moves these 
alarm conditions to the bottom of the buffer. 
Acknowledging cleared alarms drops them from the 
buffer. Previously acknowledged alarm(s) (n+l,n+2,..) 
can be reviewed when there are no unacknowledged or 
cleared unacknowledged alarm conditions present. Upon 
reviewing these alarms, they move to the bottom of the 
buffer. 
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Alarm messages for priority 3 alarms and operator aids are only 
generated by the computer and only appear on the message line 132 of 
the CRT page (Figure 3); there will be no English descriptor provided 
on the message window of the DIAS display 78. One 

annunciator tile is provided at each annunciator 
workstation for all priority 3 alarms and 1 alarm tile 
is provided on the workstation for operator aids that 
are associated with these workstation* 

When an alarm condition changes priority, the 
following changes occur in the alarm handling system. 
When a higher priority alarm comes in on the same 
parameter, the previous alarm is automatically cleared 
(i.e., no operator acknowledgement necessary since he 
will need to acknowledge the higher priority condition) 
without a reset tone or slow flash rate* When an alarm 
condition improves to the point where the high priority 
alarm clears, the operator will need to acknowledge 
that the higher priority alarm has cleared; however, if 
the lower priority alarm still exists, it will turn on 
(upon operator acknowledgement of the higher priority 
cleared condition) and automatically go to the 
acknowledged state (i.e., no operator action 
required) • The new lower priority alarm condition 
will be observed by the operator when reading the alarm 
message in response to clearing the highest priority 
alarm. 

The invention provides a means of listing and categorizing 
alarms, and accessing supporting display pages. In this system, alarms 
are provided on alarm listing display pages accessible from the fields 
138 of the DIAS display 78 and 140 of the CRT display 84 shown in 
Figures 15 and 13, respectively. The categories of alarms in this 
listing are as follows (see Figure 14): 
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A) First Level Display Page Set (Major Plant 
System/Function Groupings) 142 

B) Control Room Workstation 144 

C) Alarm tiles 146 

A workstation's alarm tiles in alarm are listed by 
priority* Alarms associated with the alarm tiles are 
listed as they are contained in the alarm tile's alarm 
buffer. 

These alarm categories provide alarm data 
consistent with operator's information needs in 
response to alarm conditions. When accessing the 
Categorized Alarm Listing 78 via page 84 (Figures 4 
and 12), the operator can easily select the data in 
the category he wishes to see. Using the "Alarm List" 
menu option 140 (Figure 4) followed by a display page 
feature that represents alarm condition(s) (Figure 
12), the operator can view the specific alarm 
conditions that he is interested in (Figure 14). 

Three examples of accessing alarm data in the 
categorized list from page 84 (Figure 4) follow. 

1) The operator selects the "Alarm List" menu option 
140 (Figure 4) followed by the "Elec." menu 
option 148 (Figure 12). This accesses the 
categorized alarm listing of the type shown in 
Figure 14) beginning with the electrical alarms. 

2) If the operator wishes to view alarms associated 
with a specific alarm f e.g., RCP1A, he selects 
the following menu options from page 84 (Figures 
4 and 12): 

- "Alarm Tiles" 150 

- "Primary" 152 

The display page's menu changes to a 
representation of the alarm tiles that are in alarm and 
are associated with the Primary Systems (see Figure 
14)* At this time, the operator can request pne of two 
different types of information formats associated with 
the displayed alarm tiles: 
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A* Categorized Alarm List - The operator selects 
"Alarm List* 1 followed by the tile, e.g., 
"SCPIA", menu option. The categorized alarm 
list is accessed with FCPlA alarms at the top 
of the page. 
B. Alarm Messages - The operator can use the 
alarm tile menu options in the same method 
that the control panel alarm tiles are used. 
The selection of an alarm tile menu option 
provides the alarm message and a menu with 
display pages that can provide supporting 
information about the alarm condition. 
Alarm information is also provided on all process 
display mimic diagrams which contain a component or 
parameter which is in an alarm condition. Color, and 
shape coding is used to indicate alarm conditions, as 
described earlier. Parameters in alarms that are 
associated with a component can cause the represented 
component's descriptor to be highlighted to indicate an 
alarm condition if the parameter is not visible on the 
display page, e.g., pump lube oil pressure may not be 
listed on a level two display page, so the pump's 
descriptor may be alarm coded. If the operator desires 
to see the exact alarm condition associated with a 
component, he would access the appropriate lower level 
display page. Alternatively, he could touch the "Alarm 
Tiles" menu option followed by touching the component's 
descriptor and respond to the alarm using alarm tile 
representations. This action also accesses menu 
options associated with display pages that provide more 
detail about the component. 

The following means of alarm acknowledgement is 
provided with the invention. 
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L) Alarm acknowledgement via the annunciator tiles - 
Alarms can be acknowledged by depressing 
alarming/unacknowledged annunciator tiles or a CRT 
annunciator tile representation. This action 
changes the annunciator tile from a flashing 
condition to a solid condition when all alarm 
conditions associated with the tile have been 
acknowledged and silences any audible sound 
(described later) associated with the alarm 
condition. Alarm messages are viewed on the 
message window (when using the physical tile) and 
the workstation's CRT message line (see Figure 
16) . 

2) Alarm acknowledgement using alarm listing pages - 
Alarms can be acknowledged on the categorized 
listing by touching alarm tile touch targets 
associated with the alarm tile categories (see 
Figure 14). Upon touching the alarm tile's 
representation, all alarms associated with that 
tile are acknowledged. This means of alarm 
acknowledgement may be the most useful for 
acknowledging multiple alarms remote to the 
operator's location. 

Each of these methods of alarm acknowledgement 

clears unacknowledged alarm indicators in the other 
alarm formats. 

When an alarm condition clears, the operator needs 
to be notified. Notification is accomplished by 
flashing the annunciator tiles and associated process 
display page information at a slow rate. Acknowledging 
or resetting the cleared alarm indications takes place 
in a mechanism similar to acknowledgement of new 
alarms, i.e., touching an alarm tile or CRT alarm 
representation/ feature. 



-49- 



Distinct sounds/tones are provided in the control 
rooa to indicate the following alara information: 

1. Unacknowledged Priority 1 or 2 Alarms. 

2. An Alara Reminder Tone for Priority l or 2 
Unacknowledged or Cleared Conditions. 

3. Cleared Priority l Alaras, or Cleared Priority 
2 Alarms. 

An audible alarm, tone 1 or 3, is only present for 1 
second and tone 2 will repeat periodically, once every 
minute, until all new or cleared alarms are 
acknowledged. 

in situations where multiple unacknowledged alarms 
exist, the operator needs to direct his attention at 
the highest priority new alarm conditions, m this 
situation, all other unacknowledged alarms, i.e., new 
priority 2, 3 and all cleared alara conditions, are 
added noise that distracts the operator froa most 
laportant alarm conditions, in the control rooa a 
"STOP FLASH" and "RESUME" button exists at the MCC, ACC 
and ASC. When the "STOP FLASH" button is depressed 
the alara systea's behavior exhibits the following ' 
characteristics: 

- All new/unacknowledged priority 2, 3 and operator 
aid features change froa a fast flash rate to a 
steady highlighted condition, i.e., tiles and CRT 
alara representations. 

Any cleared alara conditions, i.e., slow flash 
rate, are not presented as alara information. 
- Any new alara condition or cleared alara condition 
coaing in after the "STOP FLASH" button has been 
activated, i s normally displayed to the operator 
(i.e., flashing). However, the operator may 
redepress the alarm "STOP FLASH" button to 
suppress these conditions. 
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The alarm reminder tone informs the operator about 
any unacknowledged new or cleared alarm conditions that 
exist. To identify these conditions for acknowledgment, 
the operator selects a "resume" button which returns 
all unacknowledged and cleared conditions to their 
normal representational alarm status. 

The alarm suppression button is backlit after 
selection to show that the alarm suppression feature is 
active. 

So that the operator can provide quick, direct 
access to supporting information thereby enhancing the 
operator response to alarm conditions, a single 
operator action provides alarm acknowledgement, display 
of alarm parameters, and selection options for CRT 
display pages appropriate for the alarm condition. 

The invention provides redundancy and diversity in 
alarm processing and display such that the operators 
have confidence in intelligent alarm processing 
techniques and such that plant safety and availability 
are not impacted by equipment failures. Priority 1 and 
2 alarms are processed and displayed by two independent 
. systems. Two-system redundancy is invisible to the 
operators through continuous cross-checking and 
integrated operator interfaces. 

Figures 16-18 show a schematic alarm response 
using the tiles in accordance with the invention. The 
illustrated group of tiles is associated with the 
reactor coolant pump seal monitoring in the reactor 
cooling system panel shown in Figure 3. The priority 2 
seal/bleed system trouble alarm is illuminated to alert 
the operator, who then can read a more complete message 
in the message window, which indicates a high control 
bleed-off pressure. Such a message is provided for 
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CRT shown 84 in the center of th. PM..1 In riour. 
, is "part o t th. data processing system which process., 
and display, all plant op.r.tional data. Thus. " i« 
tinxeo to all oth.r instrumsntatlon and control syst.ms 

in the control room. 

Figures 2, 28 and 30 schematically show the 
relationship of the data processing system ***** 
control system, plant protection system, and discrete 
indication and alarm system. The data processing 
9vatem 70 receives from the control system 64 , the same sensor 

tZ Ls used hy the control system tor executing the control 
tcgtc Likewise, it receives from th. di .cret. indication and 
alarm system 72 the validated sensor data that is used by the 
discrete indication and alarm system for generating the discrete 
alarms and displays. The plant protection system 50 does 



-52- 



not use internally validated data for its trip logic, 
and this "raw" signal is for each channel passed along 
to the data processing system 70 which performs its 
own signal validation logic 154 on the plant 
protection system signals, and passes on the 
internally validated signal to the validated signal 
comparison logic 156. In that functional area, the 
validated signals from the control system 64, the 
plant protection system 50 and the discrete indication 
and alarm system 72 are compared and displayed on the 
CRT 84 . It should be appreciated that both the 
validated signal from the comparison logic 156 and the 
validated signal from the plant protection system are 
available for display on the CRT 84. 

Thus, the CRT display within each panel includes 
signal validation and all CRTs in the plant are capable 
of accessing any information available to the other 
CRTs in the plant. Moreover, on any given CRT, the 
alarm tile images from any other panel may be generated 
and the alarms acknowledged. Detailed display 
indicator windows may be accessed as well. The CRTs 
have a substantially real time response, with at most a 

two-second delay. 

The CRT display pages contain all the power plant 
information that is available to the operator, in a 
structured, hierarchic format. The CRT pages are very 
useful for information presentation because they allow 
graphical layouts of power plant processes in formats 
that are consistent with operator visualization. In 
addition, CRT formats can aid operational activities, 
where appropriate, by providing trends, categorized 
listing, messages, operational prompts, as well as 
alert the operator to abnormal processes. 
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The primary method the operator obtains 
information formats on the CRTs is through a touch 
screen interface which operates in a known manner. The 
touch screens are based on infrared beam technology. 
Horizontal and vertical beams exist in a bezel mounted 
around the face of each color monitor. When the beams 
are obstructed by the user, the coordinates are 
cross-referenced with the display page data base to 
determine the selected information. 

Messages and Supporting Display page option touch 
targets can be accessed onto panel CRTs by touching 
other panel features, e.g., discrete indicators and 
alarm tiles. IPSO is available as a display page and 
forms the apex of the display page hierarchy (see Figures 10 , 
and 24). Three levels exist below IPSO, where each level of tfc 
hierarchy provides consistent information content to 
satisfy particular operational needs* The structure of 
the hierarchical format is based on assisting the 
operator in the performance of his tasks as well as 
providing quick and easy access to all information 
displayed via the CRTs. The display formats on the top 
level provide information for general monitoring 
activities, while the lowest level formats contain 
information that is most useful for supporting 
diagnostic activities. 

Level 1 display pages provide information that is 
most useful for general monitoring activities 
associated with a major plant process. These display 
pages inform the operator of major system performance 
and major equipment status and provide direction to 
lower level display pages for supportive or diagnositc 
information. The level 1 display pages are as follows: 
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1) Primary Systems (example, see Figure 19) 

2) Secondary Systems 

3) Power conversion 

4) Electrical Systems 

5) Auxiliary Systems 

6) Critical Functions 

Level 2 display pages provide information that is 
most useful for controlling plant components and 
systems. These pages contain all information necessary 
to control the system's processes and functions. 
Parameters which must be observed during controlling 
tasks appear on the same display, even though they may 
be parts of other systems. Proposed operating 
procedures or guides for controlling components are 
utilized for determining which parameters to display. 
Figure 20 is a sample display for Reactor coolant Pump 
1A and IB Control. The operator would normally monitor 
the "Primary System" display page to assess RCS 
performance. If the operator wishes to operate or 
adjust RCP 1A or IB, the operator would access the 
control display page. All information for Reactor 
Coolant Pump Control is on the control display to 
preclude unnecessary jumping between display pages. 

Level 3 display pages provide information that is 
most useful for diagnostic activities of the component 
and processes represented in level 2 display pages. 
Level 3 display pages provide data useful for 
instrument cross-channel comparisons, detailed 
information for diagnosing equipment or system 
malfunctions, and trending information useful for 
determining direction of system performance changes, 
degradation or improvement. Figure 21 shows a 
diagnostic display of the Seal and Cooling section of 
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RCP1A; the pump portion, the supporting oil system, and 
the motor section are presented on a separate display 
page due to display page information density limits. 

Display page access is accomplished through the 
use of menus placed on the bottom of the display 
pages. Each display page contains one standard menu 
format that provides direct, i.e., single touch, access 
to all related display pages in the information 
hierarchy. The menu has fields (see Figure 10) where 
display page title are listed. By selecting a field (a 
thru j), the specified display page is accessed. The 
menu option fields associated with a display page 
includes the following (see Figure 22). 

1) The next higher level (when applicable) display 
page in the hierarchy, item (c) . This feature is 
more meaningful on a 3rd level display page since 
the next higher level page is a level 2 display 
page which is not normally on the menu. 

2) Display pages of systems that are connected to or 
support the process of the presently displayed 
page (h,i). 

3) All six first level display pages (b,c,d,e, f ,g) . 

4) The IPSO display page (a). 

5) The last page viewed on the monitor (j). 

To access a display page described by a menu 
option, the operator would select the menu option (a-k) 
by touching the desired menu option field on the 
monitor. The menu option is highlighted (using black 
letters on a white background) until the display page 
appears. Since the menu options provide direct access 
to a minimum set of display pages in the display page 
hierarchy, alternate means are available for quickly 
accessing other display pages. Three options are 
available to the operator: 
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(1) Display Page Access Using Alarm Tiles - This 
mechanism for display page access may be most 
useful for obtaining display pages associated with 

the workstation's process. By pressing a 
workstation alarm tile from display 78, such as 80 
(Figure 15 ), region 4 of the workstation CRT's 
display page menu changes to a new menu with display 
page options associated with the alarm tile's 
descriptor. For example, as shown in Figure 23 , an 
KCP1A alarm tile provides menu options associated 
with RCP 1A. The desired display page will then be a 
direct access menu option. 

f2) Accessina CRT Information from the Discrete 
indicators - Bach discrete indicator 82 such as 

shown in Figure 7, has a CRT access touch 
target 158. This button provides for 
access to supporting information for the process 

parameter that is presently displayed on the 
discrete indicator. By touching the CRT target on 
the discrete indicator # region 4 of the menu 
options on the workstation's CRT changes to menu 
options containing display pages with supporting 
and diagnostic information associated with the 
process parameter. 
(3) Display Page Access Using a Display Page Directory 
- Any display page of the display page hierarchy 
can be accessed using the presently displayed 
menu. For example, if the operator is viewing the 
Feedwater System display page and wants to access 
the CVCS display page, the following sequence 
takes place (refer to Figures 22 and 4): 
The operator selects "by touch" the "DIRECTORY" 
menu option (option 1 in region 2, on Figure 
22) followed by the "PRIMARY" menu option 
(option b in region 3 on Figure 22). This 
accesses the primary section of the 
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display page hierarchy from the display page 
library (see Figure 4), Each display page within 
the primary section of the display page hierarchy 
is a touch target on this display page, and now 
the operator can select the CVCS display page. 
Any page in the display page hierarchy can be 
accessed using this feature. The "DIRECTORY" menu 
option is followed by the desired hierarchy 
associated with one of the six first level display 
pages , menu options b,c,d,e,f or g on Figure 22. 
In addition to the menu options described above, 
menu options exist for "LAST PAGE", "ALARM LIST", 
"ALARM TILES", "OTHER", and horizontal paging options 
("Keys"). The "LAST PAGE" (option j on Figure 22} 
provides direct access to the last page that was on the 
monitor. This is very useful to operators for 
comparison of information between two display pages, or 
retrieval of information that the operator was 
previously involved with. 

The "ALARM LIST" (option n on Figure 22) provides 
for quick access to the alarm listing display pages. 

The "ALARM TILES" (option m on Figure 22) provides 
for quick access toi alarm tile representations of 
active alarm tiles in the area above Region 4 (see 
Figure 23) of the workstation's CRT menu. This allows 
an operator to access alarm information associated with 
specific tiles on any workstation's CRT. This method 
of alarm access is further described in Section 5 of 
this document. 

The "OTHER" (option k on Figure 22) provides 
access to display pages or information that does not 
fall into the categories of information described by 
the presently displayed menu options. 
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»- TPSO 

Another part or the data processing system is the 
integrated process status overview (IPSO board - see Figure 24) 
Although the number of displays and alarms stimulating 
the operator at any one time can be considerably 
reduced using the panels having the discrete alarm, 
discrete display, and CRT displays described above, the 
number of stimuli is still relatively high and, 
particularly during emergency operations, may cause 
delay in the operator's understanding of the status and 
trends of the critical systems of the NSSS. A single 
display is needed that presents only the highest level 
concerns to the operator and helps guide the operator 
to the more detailed information as it is needed. 
Although some attempts have been made in the past to 
present a large board or display to the operator, such 
displays to date have not included a significant 
consolidation of information in the nature to be 
described below. 

The IPSO board presents a high level overview of 
all high level concerns including overview of the plant 
state, critical safety and power functions, symbols 
representing key systems and processes, key plant data, 
and key alarms. IPSO information includes trends, 
deviations, numeric values of most representative 
critical function parameters, and the existence and 
system location of priority 1 alarms including 
availability and performance status for systems 
supporting the critical functions. This is otherwise 
known as success path monitoring. The IPSO board also 
can identify the existence and plant area location of 
other unacknowledged alarms. Thus, IPSO bridges the 
gap between an operator's tendency toward system 
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thinking and a more desirable assessment of critical 
functions. This compensates for reduction in the 
dedicated displays to help operators maintain a field 
plant conditions. It also helps operators maintain an 
overview of plant performance while being involved in 
detailed diagnostic tasks. IPSO provides a common 
mental visualization of the plant process to facilitate 
better communication among all plant personnel. 

In Figure 25 , the condition illustrated is a 
reactor trip. At the instance illustrated, the 
temperature rise in the reactor is 27° and the 
average temperature rise is higher than desired and 
rising. as indicated by the arrow and "+«. The 
pressurizer pressure is higher than desired, but it is 
falling. Likewise, the steam generator water level is 
higher than desired but falling. 

Figure 24 shows a CRT display page hierarchy 
wherein the IPSO is at the apex, the first level 
display page set contains generic monitoring 
information for each of the secondary, electrical, 
primary, auxiliary, power conversion and critical 
function systems, the second level of display pages 
relates to system and/or component control, and the 
third level of display pages provides details and 
diagnostic information. IPSO is a continuous display 
visible from any control room workstation, the shift 
supervisor's office, and Technical Support Center. The 
IPSO is centrally located relative to the master 
control console. The IPSO also exists as a display 
page format that is accessible from any control room 
workstation CRT as well as remote facilities such as 
the Emergency Operations Facility. 
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The IPSO large panel format is 4.5 feet high by 6 
ffet wide. Its location, above and behind the MCC 
workstation, is approximately 40 feet from the shift 
supervisor's office (the furthest viewable point) . 

One of the beneficial aspects of IPSO is the use 
of IPSO information to support operator response to 
plant disturbances, particularly when a disturbance 
effects a number of plant functions. IPSO information 
supports the operator's abaility to respond to 
challenges in plant power production as well as 
safety-related concerns. 

IPSO supports the operator's ability to quickly 
assess the overall plant's process performance by 
providing information to allow a quick assessment of 
the plant's critical safety functions. The concept of 
monitoring plant power and safety functions allows a 
categorization of the power and safety-related plant 
processes into a manageable set of information that is 
representative of the various plant processes. 

The critical functions are: 

Critical To: 

Function ESHST Safety 

1. Reactivity Control X X 

2. Core Heat Removal X X 

3. RCS Heat Removal X X 

4. RCS Inventory Control X X 

5. RCS Pressure Control X X 

6. Steam/Feed Conversion X 

7. Electric Generation X 

8. Heat Rejection X 

9. Containment Environment Control X 

10. Containment Isolation X 

11. Radiological Emissions Control X X 

12. Vital Auxiliaries X X 
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A 3x4 alarm matrix block 160 containing a box 162 for each 
critical function exist in the upper right hand corner of ipso 
(see Figure 25 and the CRT display of IPSO in Figure 10). The 
matrix provides a single location for the continuous display of 
critical function status. If a priority 1 alarm condition 
exists that relates to a critical function, the 
corresponding matrix box 164 will be highlighted in the 
priority 1 alarm presentation technique. Critical 
Function alarms are representative of one of the 
following priority l conditions: 

Failure to satisfy the safety function status 
checks, (post-trip) . 

Poor performance of a success path/system that is 

being used to support a critical function. 

An undesirable priority 1 deviation in a power 

production function (pre-trip) . 

Unavailability of a safety system (less than 

minimum availability as defined by Reg. Guide* 

1.47). 

The 3x4 matrix representation is an overview 
summary of the 1st level critical function display page 
information (Figure 32). The operator obtains the details 
associated with critical function and Success Path 
alarms in the Critical Function section of the display 
page. 

Each critical function can be maintained by one or 
more plant systems. Information on IPSO is most 
representative of the ability of supporting systems to 
maintain the critical functions. For some critical 
functions, the overall status of the critical function 
can be assessed by a most representative controlled 
parameter (s) . For these critical functions, the 
process parameter's relationship to the control 
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setpoint(s) and indication of improving or degrading 
trends is represented on IPSO to the right of the 
parameter's descriptor. 

An arrowhead as explained in Figure 26 is used if the 
integral of the parameter's value is greater than an acceptable 
narrow bafnd control value, indicating that the parameter is 
moving toward or away from the control setpoint. The 
arrowhead's direction , up or down, indicates the 
direction of change of the process parameter. If these 
parameters deviate beyond normal control bounds, a plus 
or minus sign is placed above or below the control 
setpoint representation. 

The following bases were used for the selection of 
parameters or other indications that are used on IPSO 
to provide the monitoring of the overall status of the 
critical functions. 

1. Reactivity Control 

Reactor power is the only parameter displayed on 
the IPSO as a means of monitoring reactivity. Using 
Reactor Power , the operator can quickly determine if 
the rods have inserted. He can also use Reactor Power 
to determine the general rate and direction of 
reactivity change after shutdown. Reactor Power is 
displayed on IPSO with a digital representation 166 because 
a discrete value of this parameter is most meaningful 
to both operators and administrative personnel. The 
IPSO also provides an alarm representation on the 
reactor vessel if there is a priority 1 alarm condition 
associated with the Core Operating Limit Supervisory 
System. 

2. Core Heat Removal 

A representative Core Exit Temperature 168 and 
Subcooled Margin 170 are the parameters presented on IPSO 
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for determining if Core Heat removal is adequate. If 
Core Exit Temperature is within limits, then the 
operator can be assured of maintaining fuel integrity. 
The Subcooling Margin is used because it gives the 
operator the temperature margin to bulk boiling. 

Core Exit Temperature is represented on IPSO by 
using a dynamic representation (i.e., trending format), 
since there is a distinct upper bound that defines a 
limit to core exit temperature, and setpoints for 
representational characteristics can be easily defined. 

Subcooled Margin is also represented on IPSO using 
a dynamic representation since there is a lower bound 
which defines an operational limit for maintaing 
subcooling. 
3. RCS Heat Removal 

T H' T C S / G L «vel 172 / and T ave 174 are used on IPSO 
to provide the operator the ability to quickly assess 
the effectiveness of the RCS Heat Removal Function. 

In order to remove heat from the Reactor Coolant, 
S/G Level must be sufficiently maintained so that the 
necessary heat transfer can take place from the RCS to 
the steam plant. A dynamic representation is used so 
the operator can observe degradiations or improvements 
in deviant condition at a glance. 

T H and T c are used on IPSO because they are 
needed by the operator to determine how much heat is 
being transferred from the reactor coolant to the 
secondary system. A digital value of these parameters 
is used since a quick comparison of these parameters is 
desired for observing the delta T. In addition, an 
indication of their actual values are used often and 
would be helpful to an operator in locations where the 
discrete indicator displaying T h and T c is not 
easily visible. 
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T ave is presented on IPSO using a dynamic 
representation to allow quick operator assessment of 
whether this controlled parameter is within acceptable 
operating bounds. 

4. RCS Inventory Control 

Pressurizer Level 17 6 is presented on the IPSO using a 
dynamic representational indication to allow the 
operator to quickly access if the RCS has the proper 
quantity of coolant and observe deviations in level 
indicative of improving or degrading conditions. 

5. RCS Pressure Control 

Pressurizer Pressure 178 and Subcooled Margin is used 
as the indications on IPSO to determine the RCS 
Pressure Control. 

A dynamic representation is used on IPSO to notify 
the operator of changing pressure conditions that may 
indicate RCS depressurization or over pressurization. 

A dynamic representation is used on IPSO for 
saturation margin. A saturation condition in the RCS 
can adversely affect the ability to control pressure by 
the pressurizer. Also, if pressure is dropping, the 
subcooled margin monitor representation on IPSO depicts 
a decrease in the margin to saturation. 

6. Steam/Feed Conversion 

The processes associated with Steam/Feed 
Conversion can be quickly assessed by providing the 
following information on IPSO: 

(a) Feedwater and Condensate System Status Information 
(i.e., operational status, alarm status) 

(b) Steam Generator Levels, Dynamic Representation 

(c) Steam Generator Safety Valve Status 

(d) Atmospheric Dump Valve Status 

(e) Main Steam Isolation Valve Status 

(f) Turbine Bypass System Status 
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7. Electric Generation 

The processes associated with Electric Generation 
can be quickly assessed by providing the following 
information on IPSO: 

(a) Plant net electric output, digital value. 

(b) Alarm information for deviations in important 
processes associated with the main turbine and 
turbine generator. 

(c) Power distribution operational and alarm status to 
the plant busses and site grid. 

8. Heat Rejection 

The processes associated with heat rejection can 
be quickly assessed by providing the following 
information on IPSO: 

(a) Circulation water system status. 

(b) Alarm information for critical deviations in 
condenser pressure conditions. 

9. Containment Environment Control 

Containment Pressure and Containment Temperature 
are the parameters which are used on the IPSO to 
monitor the control of the Containment Environment. 
These are presented on IPSO using a dynamic 
representation to allow assessment of trending and 
relative values. The Containment Pressure variable is 
used on the IPSO to warn the operator about an adverse 
overpressure situation which could be the result of a 
break in the Reactor Coolant System. The Containment 
Temperature also helps indicate a possible break in the 
Reactor Coolant System; it also can indicate a 
combustion in the Containment Building. 
10. Containment Isolation 

The Containment Isolation Safety function is 
monitored on the IPSO with a Containment Isolation 
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system symbol representation. This symbol will be 
driven by an algorithm which presents the effectiveness 
of the following containment isolation situations when 
the associated conditions warrant containment 
isolation: 

Containment Isolation Actuation 

Safety Injection Actuation 

Main Steam Isolation 

- Containment Purge Isolation 

11. Radiological Emissions Control 

Radiation symbols exist on IPSO which presents 
notification of high radioactivity levels such as 
inside containment , and (2) radiation associated with 
radioactivity release paths to the environment, these 
symbols will only be presented on IPSO when high 
radiation levels exist. These indications are 
presented in the alarm color in a location relative to 
the sensor in any of the following situations occurs: 

- High Containment Airborne Radiation 

High Activity Associated, with Any Release Path 
High Coolant Activity 

12. Vital Auxiliaries 

vital Auxiliaries are monitored on IPSO by 
providing the following information: 

(a) Diesel Generator Status 

(b) Status of Power Distribution within the Power 
Plant 

(c) Instrument Air System Status 

(d) Service Water System Status 

(e) Component Cooling Water System Status 

The systems represented on IPSO are the major heat 
transport path systems and systems that are required to 
support the major heat transport process, either power 
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or safety related. These systems include systems that 
require availability monitoring per Reg. Guide 1.47, 
and all major success paths that support the plant 
critical Functions. 

The following systems have dynamic representations 
on IPSO: 

Component Cooling Water 
Condensate 

Containment Isolation 
Containment Spray 
Circulating Water 
Emergency Feedwater 
Feedwater 
Instrument Air 
Shutdown Cooling 
Reactor Coolant 
Safety Injection 
Service Water 
Turbine Bypass 
System Information presented on IPSO includes 
systems operational status, change in operational 
status (i.e., active to inactive, or inactive to 
active) and the existence of a priority one alarm (s) 
associated with the system. Alarm information on 
systems can also help inform an operator about success 
path related Critical Function alarms. 

Priority 1 alarm information is also presented on 
IPSO by alarm coding the descriptors of the 
representative features on ipso as described above., 

IHTEGRATTOW OP m^^, 

Figure 27 presents an overview of the integrated 
information presentation available to the operator in 
accordance with the invention. From the integrated 
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process status overview or board , the operator may 
observe the high priority alarms* If the operator is 
concerned with parameter trends , he may view the 
discrete indicators. If he is interested in the system 
and component status, he may view the settings on the 
system controls. Thus, the IPSO information is 
displayed either on the board or at the panel CRT, and 
the other information from the operator's panel or any 
other panel, is available to the operator on his CRT. 
From the IPSO overview, the operator may navigate 
through the CRT or DIAS display pages. Moreover, the 
operator has direct access to either of these types of 
information from any of the control panels and when a 
system control is adjusted or set, the results are 
incorporated into the other alarm and display 
generators in the other panels. 

As shown in Figures 2 and 28-31, in general 
overview, the integration of the system means that each 
panel including the main console, the safety console, 
and the auxiliary console, includes a CRT 84 which is 
driven by the data processing system 70. The data 
processing system utilizes the plant main computer and, 
although being more powerful, it is not as reliable as 
the DIAS 72 computers (which may be distributed 
microprocessors-based or mini-computer based) . Also, 
it is slower because it is menu driven and performs 
many more computations. It is used primarily for 
conveying the most important information to the 
operator and thus important alarm tiles can be viewed 
on each CRT and acknowledged from any CRT. Any 
information available on one CRT is available at every 
other CRT. The indicator and alarm system 72 for a 
given panel is related to the controls, but the 
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discrete (i.e., quick and accurate) aspects of the alarms and 
indicator displays 78, 82, and controls of that panel are not 
available at any other panel. 

Basically, information is categorized in three 
ways. Category 1 information must be continuously 
displayed at all times and this is accomplished in 
DIAS 72. Category 2 information need not be continuously 
available, but it must nevertheless be available 
periodically and this is also the responsibility of 
DIAS 72. Category 3 information is not needed rapidly and 
is informational only, and that is provided by the 
DPS 70. In the event of the failure of DPS, some 
essential information is provided by DIAS, The DPS and 
DIAS are connected to the IPSO board by a display 
generator 180. From the IPSO, the operator can obtain 
detailed information either by going to the panel of 
concern, or paging through the CRT displays. 

It should be appreciated that DIAS and DPS do not 
necessarily receive inputs for the same parameters, 
but, to the extent they do receive information from 
common parameters, the sensors for these parameters are 
the same. Moreover, the validation algorithms used in 
DIAS and DPS are the same. Furthermore, the algorithms 
used for the discrete alarm tiles and the discrete 
indicators include as part of the computation of the 
"representative" value, a comparison of the DIAS and 
DPS validated values. 

Figure 29 is a block diagram representing the 
discrete indicator and alarm system in relation to 
other parts of the control room signal processing. 
The DIAS system preferably is segmented so that, for 
example, all of the required discrete indicator and 
discrete alarm information for a given panel N is 
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processed in only one segment. Each segment, however, 
includes a redundant processor. The information and 
processing in DIAS 1 is for category 1 and 2 
information which is not normally displayed directly on 
IPSO. IPSO normally receives its input from the DPS. 
However, in the event of a failure of DPS, certain of 
the DIAS information is then sent to the IPSO display 
generator for presentation on the IPSO board. 

It should also be appreciated that both DIAS and 
the DPS utilize sensor output from all sensors in the 
plant for measuring a given parameter, but that the 
number of sensors in the plant for a given parameter 
may differ from parameter to parameter. For example, 
the pressurizer pressure is obtained from 12 
sensors, whereas another parameter, for example, from 
the balance of plant, may only be measured by two or 
three sensors. Some systems, such as the plant 
protection system, do not employ validation because 
they must perform their function as quickly as possible 
and employ, for example, a 2 out of 4 actuation logic 
from 4 independent channels. In the event the 
validation for a given parameter differs as determined 
within two or more systems, an alarm or other cue will 
be provided to the operator through the CRT. 

One of the significant advantages of the present 
invention is that the DPS need not be nuclear 
qualified, yet it can be confidently used because it 
obtains parameter values from the same sensors as the 
nuclear qualified DIAS. These are validated in the 
same manner and a comparison is made between the 
validated DPS parameters and the validated DIAS 
parameters, before the DPS information is displayed on 
the CRTs or the IPSO. 
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The nuclear qualification of the alarm tiles and 
windows, and the discrete indicator displays in the 
DIAS are preferably implemented using a 512X256 
electroluminescent display panel, power conversion 
circuitry, and graphics drawing controller with VT text 
terminal emulation , such as the M3 electroluminescent 
display module available from the Digital Electronics 
Corporation, Hayvard, California. The control function 
of each panel is preferably implemented using discrete, 
distributed programmable controllers of the type 
available under the trademark "M0DIC0N 984" from the 
AEG Modicon Corporation, North Andover, Massachusetts, 
U.S.A. Thus, the computational basis of the DIAS is 
with either distributed, discrete programmable 
microprocessors or mini computers, whereas the 
computational basis of the DPS is a dedicated main 
frame computer. 

The ESF control system and the process component 
control system are shown schematically in Figure 31, 
whereas the plant protection system is preferably of 
the type based on the "Core Protection Calculator 11 
system such as described in U.S. Patent 4,330,367, 
"System and Process for the Control of a Nuclear Power 
System 1 ', issued on May 18, 1982, to Combustion 
Engineering, Inc., the disclosure of which is hereby 
incorporated by reference. 

Another aspect of integration is the capability to 
display the critical functions and success path in IPSO 
as described above, since the major safety and power 
generating signal and status generators are connected 
to both DIAS and DPS, the operator may page through the 
critical functions in accordance with the display page 
hierarchy shown in Figures 32 through 35. In Figure 
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33, the operator is informed that the emergency feed is 
unavailable in the reactant coolant system. In Figure 

34, the operator is informed that the emergency feed is 
unavailable and the reactor is in a trip condition. 
Under these circumstances, the operator must determine 
an alternative for removing heat from the reactor core 
and by paging to the second level of the critical 
function display page which, although shown for 
inventory control (Figure 35), would have a comparable level < 
detail for heat removal. This type of information with 
this level of detail and integration is available for 
all critical functions under substantially all 
operating conditions, not only during accidents. 

It should be appreciated that, as mentioned above, 
the discrete tile and message technique significantly 
reduces the surface area required on the panel to 
perform that particular monitoring function. 
Similarly, the discrete display portion of the 
monitoring function, including the hierarchical pages, 
is condensed relative to conventional nuclear control 
room systems. The control function on a given panel 
can be consolidated in a similar "fashion. 

Thus, a feature of the present invention is the 
physical modularity of each panel constituting the 
master control console, and more generally, of each 
panel in the main control room. In essence, the space 
required for effective interface with the operator for 
a given panel, becomes independent of the number of 
alarms or displays or controls that are to be accessed 
by the operator. For example, as shown in Figure 3, 
six locations on each side of the CRT may be allocated 
for alarm and indicator display purposes. Preferably, 
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the top two on each side are dedicated to alarms 78 and the other 
four on each side dedicated to the indicator display 82. An 
identical layout is provided for each panel in the control room. 

This permits significant flexibility and cost 
savings during the construction phase of the plant 
because the hardware can be installed and the terminals 
connected early in the construction schedule, even 
before all system functional requirements have been 
finalized. The software based systems are shipped 
early with representative software installed to allow 
preliminary checking of the control room operations. 
Final software installation and functional testing are 
conducted at a more convenient point in the 
construction schedule. This method can accelerate 
plant construction schedules for the instrumentation 
and control systems significantly. Since the 
instrumentation and control requirements for a given 
plant are often not finalized until late in the plant 
design schedule, the present invention will in almost 
every case significantly reduce costly delays during 
construction. This is in addition to the obvious cost 
savings in the ability to fabricate uniform panels, 
both in the engineering phase normally required to 
select the locations of and lay out the alarms and 
displays, and in the material savings in fabricating 
more compact panels. Furthermore, such modularity in 
the plant facilitates the training of operators and, 
when operators are under stress during emergencies, 
should reduce operator error because the functionality 
of each panel is spatially consistent. 

Thus, each modular control panel has spatially 
dedicated discrete indicators and alarms, preferably at 
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least one spatially dedicated discrete controller at 88, a 
CRT 84 , and interconnections with at least one other 
modular control panel or computer for communication 
therewith. For example, communication via the DPS 
includes , among other things , the ability to 
acknowledge an alarm at one panel while the operator is 
located at another panel , and the automatic 
availability at every other panel of information 
concerning the system controlled at one panel. 

Figure 36 (a) illustrates the conventional 
sequence for furnishing instrumentation and control to 
a nuclear power plant and 36(b) the sequence in 
accordance with the invention. Conventionally, the 
input and outputs are defined, the necessary algorithms 
are then defined, and these specify the man machine 
interface. Fabrication of all equipment then begins 
and all equipment is installed in the plant at 
substantially the same time before system testing can 
begin. In contrast, the modularity of the present 
invention permits fabrication of hardware to begin 
immediately in parallel with the definition of the 
input/ output. Likewise, the hardware can be installed 
and generically tested in parallel with the definition 
of the man machine interface and the definition of the 
algorithms that are plant specific. The hardware and 
software are then integrated before final testing. In 
a conventional nuclear installation, the equipment is 
installed during the fourth year of the entire 
instrumentation and control activity, whereas with the 
present invention, equipment can be installed during 
the second or third year. 

With further reference to Figure 2, the process 
component control system and the engineered safety 
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features component control system 56 use programmable 
logic controllers similar to the Modicon equipment 
mentioned above including input and output multiplexors 
and associated wires and cabling, all of which can be 
shipped to the plant before the plant specific logic 
and algorithms have been developed. This equipment is 
fault tolerant. 

The data processing system 70 uses redundant plant 
main frame computers, along with modular software and 
hardware and associated data links. Such hardware can 
be delivered and the modular software that is specific 
to the plant installed, just prior to integration and 
system testing. 

The OIAS 72 also uses input/output multiplexors and a 
fault tolerant arrangement, with programmable logic 
processors or mini-computers, with the same advantages 
as described with respect to the process control and 
engineered safety features control systems 
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APPENDIX 

nFT&TT.ED EXAMPLE S OF VALIDATION ALGORITHM 

This Appendix describes the details of the generic 
validation and display algorithm implemented in the DPS and DIAS. 

« 

Definition of Terms Use d in Discussion 

PAMI - Post Accident Monitoring Instrumentation, 

Instrument • The performance accuracy of a sensor and its 

Uncertainty transmitter (i.e., if accuracy is ± 1%, the 
instrument uncertainly is 2%) . 
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Expected Process - The difference 1n temperature (or other 
Variation unit of measurement) between sensors 

measuring the same process parameter due to 
expected variation 1n the* the process 
temperature (or other unit of measurement) 
at different sensor locations. 



Calculated Signal - A single signal that the algorithm 

calculates to represent all sensors 
measuring the same parameter. 

Process Representation - A single signal that Is output for displays 

and alarms where a single value 1s needed 
as opposed to multiple sensor values. The 
"process representation 11 will always be the 
"calculated signal" unless a failure has 
occurred. After a failure It may be the 
output of a single sensor selected by the 
operator or algorithm. 

Valid - A "calculated signal" that has been 

verified to be accurate by successfully 
deviation checking all of Its Inputs with 
their average. 

Valid PAMX - A "valid" "process representation" that 

deviation checks successfully against the 
"PAMI" sensors. 



Validation Fault - 



A failure of the validation and display 
algorithm to calculate a "Valid" 
"Calculated Signal". 
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PAHI Fault - 



Fault Select - 



Operator Select - 



Good - 



Bad - 



A failure of the "Calculated Signal" to 
deviation check successfully against the 
"PAMI" sensors. 

The "calculated signal" that 1s the output 
of the sensor closest to the last "valid- 
signal at the time validation initially 
failed. 

A "process representation" that is the 
output of the sensor that the operator has 
selected after a "PAMI Fault" or a 
"Validation Fault". 

A label given to a sensor that deviation 
checks successfully against the "Operator 
Select" or "Valid" "Process 
Representation" .- 

A label given to a sensor that falls to 
deviation check successfully against the 
"Valid" "Process Representation". 



SuS p ect . A label given to the "good" sensor that 

deviates the most from the. average 
"V "calculated signal" when any deviation 
check falls. 



■Validation Fault Operator Select Permissive" - 

The permissive that allows the operator to 
select an Individual sensor as the "Process 
- Representation" when the algorithm 1s 
unable to calculate a "valid" signal. 
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"PAMI Fault Operator Select Permissive • 

The permissive that allows the operator to 
select an Individual sensor as the "Process 
Representation* when the "valid* 
"calculated signal" does not deviation 
check successfully against "PAMI" 
indication. 

Validation and Oisplay Algorithm 

The sensor inputs (A, 8, C, 0) are all read and stored at the time 
the algorithm begins. The algorithm uses these stored inputs to 
perform all steps (1-10), which comprise a scan. When the algorithm 
is repeated (after step 10). the sensor Inputs are read and stored 
again, for use on the new scan. 

Determination of "Calculated Signal* and Faults (steps ,1.2,3,4,5) 
Validation Attempt (steps 1. 2. 3) 

1. The algorithm checks to see 1f there are 2 or more "good" 
sensors. 

Yes, go to step 2 
No, go to step 5 

Note: A sensor 1s "good" if It was not declared a "bad" 

sensor on the previous scan or a "suspect" sensor on 
a previous pass. 

2. The algorithm averages all "good" sensors (A,B,C,0). Go to 
step 3. 
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3. 



Deviation check all good sensors agalrtSt the average (within 
sum of 1/2 Instrument uncertainty and expected process 
variation). 

. if all deviation checks are satisfactory do the following: 

a. Clear the -Validation Fault- alarm. 1f previously 
present 

b Clear the permissive that allows the operator to 
select a sensor after a validation fault (I.e.. 
-Validation Fault Operator Select Permissive") . 1f 
previously present. 

c. Declare any -suspect- sensor -bad- and output a 
sensor deviation alarm on that sensor. 

d. Output the average as the -valid- -calculated 
signal". 

e. Co to step 4 

. If any deviation checks are unsatisfactory, the following 



occurs: 
a. 



The sensor with the greatest deviation from the 
average is flagged as -suspect", then the algorithm 
checks to see 1f this the first or second pass on 
this scan. * •» 



If the first pass, the algorithm 1s repeated, 
beginning at step I. 

Note: If the deviation check fails on the 

first pass, the algorithm has used one 
or more bad sensors to calculate the 
average. Performing a second pass 
eliminates the one bad sensor or 
. determines that multiple sensors are 
bad. 
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If it is the second pass validation falls, go to 
step 5. 

Note: Falling to pass the deviation cheek on 
the second pass Indicates that there 
are two or more simultaneous sensor 
failures. The algorithm cannot be 
sure to correctly eliminate only the 
bad seniors, therefore the algorithm 
must fall. This insures that the 
algorithm does not calculate a 
incorrect "valid* signal for this- 
case. Normally without two or more 
simultaneous failures, the algorithm 
will detect multiple non-simultaneous 
deviations, sequentially eliminate 
them from the algorithm and still 
determine a "valid" signal. 



Valid - PAMI Check (step 4) 

4. (Step applicable If process has a Category 1 PAMI Sensor. If 
there 1s no PAMI sensor(s) In this process, the step 1s not 
performed, go to step 6. 

m Ooes the "valid 11 signal deviation check against the PAMI 
stnsor(s) 

1. Yes, Output the "PAMI" message and If not previously 
present, remove the "PAMI Fault Operator Select 
Permissive", clear the "PAMI Fault" alarm If present, go to 
step 6. 
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Note: The "PAMI Fault Operator Select Permlsslve- 
allows the operator to select any sensor for 
the "process representation" when the 
"calculated signal" (I.e. algorithm's "valid- 
output) does not agree with the PAMI sensor(s). 

b. No. Perform the following: 

Remove the "PAMI" message 
Generate a "PAMI Fault" alarm 
Enable the "PAMI Fault Operator Select Permissive- 
Go to step 6. 

Failed Valuation (step S) 

S. The algorithm checks to see If the "calculated signal" on the 
previous scan was a "Fault Select" sensor. 

- If the previous scan was not "fault select", a "validation 
fault" has Just occurred. Oo the following: 

a. Generate a "Validation Fault" alarm 

Oeclare all "suspect" sensors "good". 

ft 

Note: * This step Insures that the algorithm will 
attempt to validate using all sensors not 
previously determined "bad" on the next 
validation attempt. 
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c- Enable the permissive for the operator to select an 
Individual sensor output for "process 
representation", the ("Validation Fault Operator 
Select Permissive")* 

d. Deviation check all sensors against the last "valid" 
signal. Select the sensor that deviates the least 
from the last "valid" signal as the "fault select" 
sensor. 

e. Output the signal from the "fault select" sensor as 
the "calculated signal". 

f. Go to step 6. 

If the previous scan was "fault select", validation had 
failed previously and already picked a "fault select" 
sensor. Continue to output the "fault select" sensor as 
the "calculated signal", go to step 6. 

Note: It 1s Important that the sensor Initially fault 
selected be retained since over time other 
failed sensors may erroneously appear more 
accurate. 

"Process Representation" Selection (steps 6» 7) 

6. The algorithm checks to see 1f there 1s either the "Validation 
Fault Operator Select Permissive" or the "PAMI Fault Operator 
Select Permissive". 

Note: A validation fault enables one Operator Select 
Permissive and failure of the "valid" algorithm 
output to deviation check satisfactorily against 
"PAMI" gives the other Operator Select Permissive. 
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If there Is no Operator Select permissive, output the 
•calculated signal", as the -process representation-, go 
to step 9. 

If there 1s an Operator Select permissive, go to step 7. 

7. Check to see if the operator has selected a sensor as the 
"process representation". 

Yes, output the signal from the selected sensor as the -process 
representation", go to step 8. 

No. output the "calculated signal" as the "process 
representation", go to step 9. 

Note: This step outputs the "calculated signal" as the 
"process representation" when the operator has the 
option to select a sensor, but does not use that 
option. 

PAMI Check of "Operator Select" Sensor (step 8) 

8. Ooes the "operator select" sensor deviation check against the 
PAMI sensor (within sum of PAMI Instrument uncertainty and 
expected process variation). , .» 

Yes, output the "PAMI" message on the "process representation" 
display. 



No. remove the "PAMI" message on the "process representation 
display. 
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Bad Sensor Evaluation (step 9) 

9, Is the "process representation" "valid" or "operator select". 



No* 90 to step 10 ("bad" sensor evaluations are not 
performed when the "process representation" 1s from a 
"fault select" sensor). 

Yes, Deviation check all "bad" sensors (A, B, C, 0) 
against the "valid", or "operator select" signal by the 
following methods: 

0 Deviation check "bad" sensors to be (within sum of 
instrument range uncertainty and expected process 
variation). 



a. Remove "bad" data flags and make them "good" on 
all sensors passing the deviation check, 1f 
present and clear Its associated sensor 
deviation alarm. 

b. Maintain "bad" data flags on all sensors failing 
the deviation check. 

c 60 to step 10. 

Range Check (step 10) 

10. The algorithm checks to see 1f the "process representation", is 
at or above the maximum numerical range, or at or below the 
minimum numerical range for the sensors. 
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■ 

Yes, Output the message "Out-of-Range" along with the 
•process representation - signal. On the CRT place an 
asterisk (*) preceding the "process representation". 60 
to step 1 and repeat the algorithm. 

No, go to step 1 and repeat the algorithm. 

Note: "Out-of-range" Informs the operator that the actual 
process value may be higher or lower than the sensor 
Is capable of measuring. In the case of process 
measurements with multiple ranges of sensors this 
check will cause the selection of sensors In a new 
range. 

Note: On the RCS panel. RCP Differential Pressure. SS 

Differential Pressure and Pressurlzer Level Reference 
Leg Temperature use this generic validation 
algorithm directly. The T co1d , T hot . Pressurlzer 
Level and Pressurlzer Pressure algorithms this • 
generic algorithm with additional steps and minor 
modifications to accommodate: 

1. Olfferent numbers of sensors 

2. Multiple sensors ranges 

3. Oata reduction In related process, measurements. 

**«• 

T cold v * 11d * t1on Algorithm (Fig. 37) 

There are 12 sensors used to measure cold leg temperatures In the 
RCS. During most operational sequences, the operator is looking for 
a single "process representation" of all cold leg temperatures In 
the RCS. This value will be provided 1n the OIAS with a display 
labeled "RCS T cold ". consistency, this value, which Is 
determined by DIAS. 1s also used on the Integrated Process Status 
Overview (IPSO) board. To insure reliability, DPS compares OIAS's 
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RCS T cold "P ro «e« representation- with Its own RCS T , and alarms 
any deviations (OPS/DIAS RCS T fi Calculation Deviation)?' A three 
step validation algorithm Is used to determine this value: 

1. Determine a "process representation" temperature 1n each of the 
4 cold legs (1A. 18, 2A, 28) through a combination of deviation 
checking and averaging (the details are described later). 



2. 



From the results 1n step 1, determine a T Cflld "process 
representation" for each RCS loop (loop 1 and loop 2) by 
averaging the corresponding A, 8 data. 

From the results In step 2, determine a RCS T CQld (process 
representation" for normal display and alarms by averaging loop 
1 and 2 data. 



The three step process determines "valid" "process representation- 
temperatures for cold legs 1A, 18, 2A and 28, cold loop 1 and 2 and 
RCS T c . For situations when a -valid" cold leg "process 
representation" temperature cannot be calculated the algorithm will 
select the sensor closest to the last "valid" signal as the -fault 
select" "process representation- temperature. This automatic fault 
selection insures a continuous output of the RCS T -process 
representation- for display and alarms. After a failure the 
operator nay select an Individual sensor for that cold leg (1A. IB. 
2A, 2B) "process representation-. This selection wYfl allow 
calculation of loop 1, loop 2 and RCS T ld "process 
representation", with "operator select" data. 

The following section describes the algorithm and display processing 
on the OIAS and CRT displays. 

1. The leg 1A. IB. 2A, 2B. loop I. 2 and RCS T , . -process 
representation" shall always be displayed on the applicable 
OIAS display and/or CRT page(s) where a single "process 
representation" Is needed as opposed to multiple sensor values. 
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a. 



b. 



Steps 1-5 (Determination of -Calculated Signal and 
Fauns) of the generic validation algorithm are modified 
to account for the following (steps 1-8 perform these 
functions): 

1. Only 3 cold leg sensors 

2. There are wide and narrow range temperature sensors 
in the same cold leg. 

The (Determination of -Calculated Signal " «^ 
the remainder of the generic validation algorithm (s eps 
6-10) are performed Independently for each of the cold 
legs (IA. 18. 2A. 28). 

c. Two additional algorithms were added: 

1 An algorithm that averages the 2 cold leg "process 
representation- to get a loop T cold -process 
representation- <1A and IB for loop I and 2A and 28 
for loop 2) 

2 An algdHthm that averages the 2 colVloop "process 
representation- to get an RCS T cold -process 
•representation- (loop 1 and loop 2). 

Using a menu (as described 1n the generic 

on OtAS or the CRT the operator may view any of the 12 sensor 

values or 7 "calculated signals". 
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These selections Include the following: 



T-U2CA/122CA 
T-112CB/122CB 
T-112CC/122CC 
T-112C0/122CD 
T-111CA/U1CB/ 
123CA/123CB 

Loop 1A Tc 
Loop IB Tc 
Loop 2A Tc 
Loop 2B Tc 
Loop 1 Tc 
Loop 2 Tc 
RCS Tc 



465-615*F 
465-615* F 
46S-615*F 
465-615* F 
50-750* F 



Calculated 
Calculated 
Calculated 
Calculated 
Calculated 
Calculated 
Calculated 



Signal 
Signal 
Signal 
Signal 
Signal 
Signal 
Signal 



T cold Loop 1A/2A 
T col<j Loop 1B/2B 
T CQld Loop U/2A 
T C()1d Loop 1B/2B 
T cold Loop 1A/1B/2A/2B, 
PAN! 



Validation Algorithms 

Note: To simplify the discussion of sensor tag numbers, the 
following letters will be used to designate sensors 
In a cold leg. 

A - 1st narrow range sensor (safety) (465-615*F) 
B - 2nd,, narrow range sensor (safety) -(465-615*F) 
C - wide range sensor (PAMI) (50-750*F) 
• 0 - wide range sensor 1n opposite cold leg (I.e., 
when discussing loop 1A. this will be the wide 
range sensor In loop IB, PAMI) (5O-750*F) 



The algorithms described below are calculated and displayed 
Independently by both OPS and OIAS. 
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Hethod to Determine Cold Leg 1A, IB, 2A. or 2B T eold "Process 
Representation" 

The determination of the Cold Leg "Process Representation" will be 
performed In four parts: 

1. Determination of "calculated signal" and faults, as described 
below (steps 1-8): 

o Cold leg 1A, IB, 2A and 2B temperature "calculated signal" 
will be calculated using sensors A,B.C. A validation 
attempt will be made using narrow range sensors, 1f that 
1s unsuccessful, the cold leg "calculated signal" will be 
validated using wide range sensors. In the event that 
validation falls using both narrow and wide range sensors, 
the the algorithm will select the sensor closest to the 
last "valid" signal as the "fault select" "calculated 
signal". 

2. "Process Representation" selection (steps 9, 10) (similar to 
steps 6 and 7 of the generic validation algorithm). 

3. PAHI Check of "operator select" sensor (step 11) (Identical to 
step 8 of the generic validation algorithm). 

4. Bad Sensor Evaluation and Range Check (step 12, 13) (similar to 
steps 9, 10 of the generic validation algorithm. 

Cold Peg OA. IB. 2A or 2B Validation and Olsolav Algorithm 

Determination of "Calculated Signal" and Faults (steps 1-8) 

Harrow Range Validation Attempt (Steps 1-5) 

1. The algorithm checks to see 1f there two "good" narrow range 
sensors (A and B). 
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Yes, go to step 2 
No, go to step 5 

Note: A sensor Is "good" 1f It was not declared a "bad" sensor 
on the previous scan. 

2. The algorithm averages A and B, go to step 3. 

3. Deviation check both "good" narrow range sensors (A and B) 
against the average (within sum of 1/2 narrow range uncertainty 
and expected process variation) 

If both deviation checks are satisfactory, go to step 4 to 
see If the average 1s in range. 

If any deviation checks are unsatisfactory go to step 5. 
Range Selection (Step A) 

4. The algorithm checks to see If the average or selected narrow 
range sensor 1s 1n-range. 

The average or selected sensor goes In-range at 965 and 4S 
of narrow range. 

» .» 

The average or selected sensor goes out-of-range at 98X 
and Zt of narrow range. 

Note: Hysteresis Is needed to prevent frequent shifts 
at end-of-range. Out-of-range occurs at 98X and 
21 to Insure that no out-of-range sensors are 
used to calculate a "valid" output (I.e.: worst 
case sensors would read 100X or OS). 



-92- 



ri«r the -Validation Fault" alarm. 1f 
- If m-range. < "'j! * d4t1on fault Operator Select 
present, disable the V »™ W ' or seleC ted narrow 
Permissive". "<^T- Xlated signal". Co to 
range sensor as the van* 

step 6. 

ranoe validation, go to 
If out-of-range. attempt the wide range 

step 7. 

*rsar-trrsi! ind 61 

C. This sensor 1s selectee to a$ 

generated. 60 to step 4. 
. If b0 th A and B do not -Ution cnec, against C. go to 
step 7 and attempt wide range validation. 

VaVId otMl Ch»^ fSteo 61 

a* *t»a •valid" average or selected 
6 . Tht .IfWltt- check, " <« , 1 th. m PAMI t .„sor 

(C). (Within sum of l/z *" oe 
process variation). 

. If satisfactory, do the following: 

a . Disable the'-PAH! fault operator select permissive" 

b . output the "PAMI" message with the "valid" 
* . -calculated signal". 
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c. Clear the "PAMI Fault" alarm, if present. 

d. Go to step 9. 

If unsatisfactory, do the following: 

a. Remove the -PAHI- message 

b. Enable the -PAMI Fault Operator Select Permissive-. 

Note- This feature allows the operator to select 
another sensor for the cold leg -process 
representation- when the algorithms* s 
"valid- output does not correlate with 
postacddent monitoring Indication (sensor 

c). 

Wide Range Validation attempt (Step 7) 

7. Deviation check C against 0 (within sum of wide range 
instrument uncertainty and expected process validation). 

Note: To validate the single wide range sensor In a cold 
leg, the algorithm deviation checks U against the 
wide range sensor 1n the other cold leg of that 'loop 
(I.e.. If in loop 1. U wide range sensor 1s 
deviation checked against the IB wide range sensor). 

. u the deviation check is satisfactory, select C sensor as 
•valid-, -calculated signal and do the following". 

a. Clear the -Validation Fault" alarm. 1f present 

b. Disable the "Validation Fault Operator Select 
Permissive". 1f 1t was enabled. 
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c. Go to step 9. 
. If the deviation check 1s unsatisfactory, validation 
falls, go to step 8. 

Faned y a 11d **<«" (Step 8) 

8 The algorithm checks to see If the -calculated signal" on the 
previous scan was a -fault select- sensor. 

. If the previous scan was not -fault select-, a validation 
fault has Just occurred. Oo the following: 

a. Generate a -validation fault- alarm. 

b. Enable the "Validation Fault Operator Select 
Permissive". 

e. 0..1,t1« **> .11 «ns.« (A. B. C) th. 

Z th, l.st "v.Hd" « the -fault 

select" sensor. 

o. output the signal from the "fault select" sensor as 
the leg T c -calculated signal". 

e. Go to step 9. 

- If the previous scan was "fault select", validation had 
failed previously and the algorithm has already picked a 
"fault select" sensor. Continue to output the signal from 
the -fault select- sensor as the "calculated signal", go 
to step 9. 
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T c Leg (A or B) "Process Representation" Selection (Steps 9, 10) 

9. Step 9 Is Identical to step 6 of the generic validation 
algorithm. 

10. Step 10 is Identical to step 7 of the generic validation 
algorithm except for the following. The operator may select 
any sensor A, B or.C from that cold leg or A, B, C from the 
opposite cold leg (A or B) as the "process representation". 

PAMI Check of ■Operator Select* Sensor (Step 11) 

11. This step Is Identical to step 8 of the generic validation 
algoH thm. 

Bad Sensor Evaluation (Step 12) 

12. This step 1s Identical to step 9 of the generic validation 
algorithm except that wide range Instrument uncertainties are 
used on all deviation checks except when narrow range sensors 
are being deviation checked against a narrow range signal , in 
this case narrow range Instrument certainties will be used. 

Range Check (Step 13) , % 

13. This step Is Identical to step 10 of the generic validation 
algorithm. 

Method to Determine Loop 1 and 2 T. ttlrf "Process Representation. 



The loop 1 and 2 T e "process representation" will be calculated 
by averaging the "process representation" from the A and B cold 
legs (1A and IB for loop 1), (2A and 2B for loop 2). 
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To simplify the discussion of the cold leg (1A.1B.2A or 
28) "process representation- Inputs to the loop 1 or loop 
2 algorithm. A will designate the Input from leg 1A or 2A 
and 6 will designate the Input from leg IB or 2B leg T c> 

The algorithm averages the -process representation" inputs from 
the A and B cold legs and outputs the average as the loop (1 or 
2) T -process representation".. 

The algorithm checks to see If A and B are -valid- 
Yes, output average as -valid", go to step 5. 
No, go to step 3. 

The algorithm checks to see If A or B Is "operator select". 

Yes, go to step 4. 

No. output the average as "fault select", go to step 5. 
The algorithm checks to see If A or B 1s "fault select". 
- Yes. output the average as "fault select", go to step 5. 

No. output the average as "operator select"', go to step 5. 

0ev1at1on check A and B against the average. (Within sum of 
1/2 wide range Instrument uncertainty and expected process 
variation). 

If the deviation checks are satisfactory, clear the "T e 
Cold Leg (1A/1B or 2A/2B) Temp Deviation" alarm, if 
present, go to step 6. 
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tf .<th.r deviation check 1s unsatisfactory, generate the 
' "T c Cold Leg (W1B or 2A/2B) Te.p Deviation- alarm, go to 
step 6. 

The algorithm checks to see If A and B are narrow range. 

- Yes. output the average as narrow range, go to step 7. 

- Ho. output the average as wide range, go to step 7. 

7. The algorithm checks to see 1f either or both Inputs 1s 
out-of-range, 

. if .1ther or both are out-of-range. output this T c loop 
-process representation" signal with the message 
•out-of-range". go to Step 8. 

I " if both are 1n-range. this T c loop "process 

representation- 1s not output with the message, 
•out-of-range, go to step 8. 

8. The algorithm checks to see 1f A and B Inputs are PAMI. 

- Yes. output the "PAMI" message with the loop U or 2) T c 
•process representation-, the loop T c algorithm 1s 
repeated, go to step 1. 

. HO. do not output the "PAMI- me.sag. t* ^ U £ 
2) T c -process representation-, the loop T c algorithm 1s 

repeated, go to step 1. 
Meth od to Oetermine RCS J coU 

The RCS T „ -process representation" will be calculated by 
" Iverlglnhle "process representation" inputs from loop i and 2 



T 



cold* 
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. HO* ootput - -P— " ~ * " 

•fault select", go to step 6. 

•fault select-, go to step 6. 

. ho* - 7-r t,en " tro " st,p 2 " 

•oporstor soloef. 90 to stop S. 
Range Cheek 

otentlool to stop 10 of tta ..«•*« v»110.t1.n 

•• 1 - Ut the * ,90r1t '"'" 

! in "°° Htt "- M 1 

0„ri.« «st op.rot1-.oA .« » ° P re „ urlMr/RCS prossur. 

-proooss r ''«""" t ^ pr ° 0 '.* wd '„ olAS with » ."ploy 
roodlnps* TMs Mluo *f« * »o » m ™ . wMeh 1, deterainoO 
UOOU. •PRESS" . for — "^i" Tlosur. WS 
by OJAS. IS olso »soo o« tho IPSO »°" . vixll 1t$ „« Press 

izz — ... .PS,.* p~. 

Calculation Deviation). 

4..« a •viHd" -process representation" for 
The algorithm determines a vfl ^ %ftl1d . pres$ „ r e 

pressurUer/RCS pressure. ^ i1 "£ 1 £ utt-i the algorithm 111 
-process representation" cannot b « 1 «^' fl9Illl as the "fault 
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the operator may select an Individual sensor for the pressure 
Zoceu .representation" as the -fault select- -process 
representation". 

Th. f.llo»< n , s.et..n describe, the end dtspl.y prccess.n, 

on the OIAS and CRT displays. 

! The "process representation- pressure shall always be displayed 
on the applicable OIAS display and/or the CRT page(s) where a 
single -process representation- 1s needed as opposed to 
multiple sensor values. 

2 The pressure algorithm and display processing 1s Identical to . 
the generic validation algorithm with the following 
modifications: 

a. Steps 1-5 (Determination of -Calculated Signal" and 
Faults) of the generic validation algorithm are modified 
to account for the following. 

1. Three sensor ranges (0-1600 ps1g). (1500-2500 ps1g) 
and (0-4000 ps1g). 

b. The remainder of the generic algorithm (steps 6-10) are 
renumbered to account for additional steps 1n the 
(Determination of -Calculated Signal" andTfcults). They 
are almost Identical with the minor modifications 
described with each step. 

Using a menu (as described In the generic validation algorithm) 
the operator may view any of the 12 sensors values or single 
"calculated signal". 



3. 
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- Th.s. selections Include tne follwlns: _ 

■>,,,, to* 10S 106 0-1600 psis Pr.iVyr1ierfres.ur. 
ToUl lOl" "00-2600 P.., Pr.ss.nzer Pressure 

--4000 PSlfl « ™, 

CALC PRESS '.IcuUted S1 9 n.1 

Validation Algorithm 

T. simplify tne discussion of sensor « S nuaoers. the follow.., 
letters will 0. used to d..l9».te pressor. sensors: 

P - 101A - A 
P - 101B - B 
P - 101C - C 
p - 1010 - 0 
p - 100X - E 
p - 100Y - F 
p - 103 - 6 
p - 104 - H 
P - 105 - I 

P - 106 - J 

P . 190A - K 

p - 190B - I ' 

The algorithm described below 1s calculated and displayed 
Independently by both OPS and OIAS. 

C 0 E and F) (pressure' 1s nonnally 1n this range). If P re$su " 1S 
„t Id! the 1500 . 2500 P s1g range, the 0 - 1600 pslg «J «rs 
(G. H. I and J) will be used. If pressure cannot be calculated 
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uslng these sensors, the 0 - 4000 psig range sensors (K and L) will 
be used. In the event that the validation falls all. of these three 
ranges, the algorithm will select the sensor closest to the last 
"valid" signal as the "fault select" "calculated signal". 

This "fault select" "calculated signal will be used as the "process 
representation" until the operator selects an "operator select" 
sensor to replace it or the algorithm is able to validate data. 

Pressuriz er Pressure Validation and Display Algorithm 

Determin ation of Calculated Signal and Faults (steps 1-131 ' 

1500 - 2S00 psio Rang e Validation Attempt ( steps 1-4) 

1. The algorithm checks to see if there are 2 or more "good" (1500 
- 2500 psig narrow range) sensors. 

Yes, go to step 2 

No, go to step S and attempt (0-1600 psig range 
validation) 

Note: A sensor is "good" it was not declared a "bad" sensor 

on the previous pass or a suspect sensor on a 
1 previous pass. 

** «* ' ** 

2. The algorithm averages all "good" (1500-2500) range sensors (A, 
B, C,0, E and F). Go to step 3. 

3. Oeviatlon check all "good" (1500-2500) range sensors against 
the average (within sum of 1/2 narrow range uncertainty and 
expected process variation). 

If all deviation checks are satisfactory, go to step 4 to 
see if the average Is in range. 
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If any deviation checks are unsatisfactory, the following 
occurs: 

The sensor with the greatest deviation from the average Is 
flagged as a "suspect" sensor, then the algorithm checks 
to see 1f this the first or second pass on this scan, 

* If the first pass, the algorithm 1s repeated, 
beginning at step 1. 

Note: If the deviation check fails on the first 
pass, the algorithm has used one or more 
bad sensors to calculate the average. 
Performing a second pass eliminates the one 
bad sensor or determines that multiple 
sensors are bad. 

• 

» If It Is the second pass, the (1500-2500) range 
validation falls, go to step 5 to attempt 0 - 1600 
ps1g range validation. 

Note: Falling to pass the deviation check on the 
second pass Indicates that there are two or 
more simultaneous (1500-2500) range sensor 
failures. The algorithm cannot be sure to 
r •* correctly eliminate only the bad sensors, 
therefore the (1500-2500) range validation 
must fall. The 0 - 1600 ps1g range 
validation Is attempted. This Insures that 
the algorithm does not calculate an 
Incorrect signal for this case. Normally 
without two or more simultaneous failures. 
• the algorithm will detect multiple 

non-simultaneous deviations, sequentially 
eliminate them from the algorithm and still 
determine a ■valid* signal. 
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Range Selection (step 4) 



4. The algorithm checks to see if the average 1s 1n-range« 

The average goes in-range at 961 and 41 of narrow range. 

The average goes out-of-range at 981 and 21 of narrow 
range. 

Note: Hysteresis prevents frequent range shifts. 

Out-of-range occurs at 981 and 21 to Insure that 
no out-of-range sensors are used to calculate a 
"valid" output (I.e., worst case sensors would 
read 1002 and 01). 

If in-range, do the following: 

a. Clear the "Validation Fault" alarm, if previously 
present. 

b. Remove the "Validation Fault Operator Select 
Permissive".. 

€• Output the average as the "valid" "calculated 
signal". 

d. Go to step 12. 

If out-of-range. attempt the (0 - 1600 pslg) range 
validation, go to step S. 

0 - 1600 pslg Range Va lidation Attempt (steps 

5. The algorithm checks to see If there are 2 or more "good" 
0 - 1600 pslg range sensors (6, H, I and J). • 
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Yes. go to step 6 

No, go to step 9 and attempt (0-4.000 range validation) 

6. The algorithm averages all "good- 0 - 1600 ps1g range sensors 
(G. H. I and J). Go to step 7. 

7. 0ev1at1on check all "good" 0 - 1600 pslg range sensors against 
the average (within sum of 1/2 of the 0 - 1600 pslg range 
uncertainty and expected process variation). 

If all deviation checks are satisfactory, go to step 8 to 
see If the average Is In range. 

If any deviation checks are unsatisfactory, the following 
occurs: 

The sensor with the greatest deviation from the average Is 
flagged as a "suspect - sensor, then the algorithm checks 
to see 1f this 1s the first or second pass on this scan. 

• If the first pass, the 0 - 1600 pslg range algorithm 
Is repeated, beginning at step 5. 

Note: If the deviation check falls on the first 
•* ** pass, the algorithm has used one or more 
bad sensors to calculate the average. 
Performing a second pass eliminates the one 
bad sensor or determines that multiple 
sensors are bad. 

* If 1t Is the second pass, the 0 - 1600 psig 

range validation falls, go to step 9 to attempt 
0 - 4000 psig range validation. 
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Note: Filing to pas, the deviation check on 
the second pass Indicates that there 
are two or more simultaneous 0 - i 6 oo 
p,1g range sensor failures. The 
algorithm cannot be sure to correctly 
eliminate only the bad sensors, 
therefore the 0 - 1600 pslg range 
validation must fall. The 0 - 4000 
pslg range validation Is attempted. 
This Insures that the algorithm does 
not calculate an Incorrect signal for 
this case. Normally without two or 
more simultaneous failures, the 
algorithm will detect multiple 
non-simultaneous deviations, 
sequentially eliminate them from the 
algorithm and still determine a 
"valid- signal. 

Range San ction {s»»p gj 

«• Th. .U.ru*. ch.c k , ,. „ mpJJ , u )n . rjntt 

" o Th : "™zh£r u ™» n m <nd ■ «• 

I^TlITS a^T* ra " 9e $MftS - °^-^-range 
wcurs at 981 and 2* to Insure that no out-of-ranoe 

sensor, are used to calculate a -valid" output < . 
wrst ca,e ,ensor, would read 1005 or 0%) 
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If In-range, do the following: 

a* Clear the "Validation Fault" alarm, if previously 
present. 

b. Remove the "Validation Fault Operator Select 
Permissive" • 

c. Output the average as Che "valid" "calculated 
signal*. 

d. Go to step 12. 

If out-of-range t attempt the 0 - 4000 ps1g range 
validation* go to step 9. 

0 = 4000 pslg Range Validation Attempt (steps 9, 10. 11 

9. The algorithm checks to see 1f both of the 0 - 4000 pslg range 
sensors (K and L) are "good". 

Yes, go to step 10. 

No 9 (0*4000 pslg) range validation 1s not possible, go to 
step 13. 

10. The algorithm averages K and L, the 0 - 4000 pslg range 
sensors. Go to step 11. 

11. Deviation check K and L against the average (within sum of 1/2 
0 - 4000 pslg range uncertainty and expected process 
variation). 

If both deviation checks are satisfactory, do the 
following: 



-107- 



a. Clear the "validation fault" alarm, If previously 
present. 

b. Remove the "Validation Fault Operator Select 
Permissive". If previously present. 

c. Go to step 12. 

If either deviation check 1s unsatisfactory, go to step 
13. 

Valld-PAMI Check (step 121 

12. Does the "valid" "calculated signal" deviation check against 
the PAMI sensors. Use method a 1f the "valid" "calculated 
signal" is In the 1500-2500 ps1g or 0-1600 pslg range, and 
method b If 1n the 0-4000 pslg range. 

Hethod (») (within sum of 1/2 0-4000 pslg range Instrument 
uncertainty, plus process variation, plus Instrument position 
constant). 

Method (b) (within sum of 1/2 0-4000 pslg range Instrument 
uncertainty, plus process variation). 

Yes, do the^fp 11 owing: , 

a. Output the "PAMI" message. 1f not previously present. 

b. Remove the "PAMI Fault Operator Select Permissive", 
if previously present. 



c. Go to step 14. 
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No, do the following: 

a. Remove the "PAMI" message. If previously present. 

b. Generate a "PAMI Fault" alarm. If not previously 
present. 

c. Enable the "PAMI Fault Operator Select Permissive' 

d. Go to step 14. 

Note: The (0 - 4000 pslg) wide range sensors (K and I) 
are not located on the pressurlzer, as are the 
other pressure sensors. The K and L sensors are 
positioned at the discharge of the reactor 
coolant pumps (RCPs) where they measure RCS 
pressure. During normal operation the pressure 
at this location 1s much higher (approximately 
110 psi for a System 80 plant) than at the 
pressurlzer, where sensors (A, B, C, 0, E. F, G, 
H. I and J) are located. An additional 
deviation acceptance criteria (called Instrument 
position constant) will be used when deviation 
checks ere made with or against the K and L 
tO 4000 pslg range) sensors. 

Failed Validation (steo 13) 

13. The algorithm checks to see 1f the "calculated signal" output 
of the previous scan was a "fault select" sensor. 

If the previous scan was not "fault select", a validation 
fault has Just occurred, do the following: 



a. Generate a "Validation Fault" alarm. 
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b. Deviation check all sensors (A.B.C.O.E.F.G.H.I.J.K 
L) against the last "valid" signal. Select the 
sensor that deviates the least from the last "valid 
signal as the "fault select - sensor. 

c. Output the signal from the "fault select* sensor as 
the pressurlxer pressure "calculated sfgnal". 

d. Enable the "Validation Fault Operator Select 
Permissive". 



e. Go to step 14. 
Pressuriter Pressure -P rocess Representation" Selection (step* u 

14. Step 14 Is Identical to step 6 of the generic validation 
algorithm. 

15. Step 15 1s Identical to step 7 of the generic validation 
algorithm. 

PANT Check of "Operator Select" Sensor (step lfi) 

16. Step 16 Is Identical to step 8 of the generic validation, 
except that ^deviation criteria are the same>as those 
specified In step 12 of this pressurlzer pressure validation 
and display algorithm. 

Bad Sensor Evaluation (step 171 

17. This step Is identical to step 9 of the generic validation 
algorithm, except that the deviation criteria checks are the 
same as those specified In step 12 of this pressurUer pressure 
validation and display algorithm. 
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Range Check (step 18) 

I 

18. The algorithm checks to see 1f the "process representation" Is 
at or above the maximum numerical range (1600 ps1g for the 0 - 
1600 ps1g sensors, 2500 pslg for the 1500 - 2500 ps1g sensors 
and 4000 pslg for the 0 - 4000 pslg sensors) or at or below the 
minimum numerical range (0 pslg for the 0 - 1600 pslg and 15 - 
4000 pslg sensors and 1500 pslg for the 1500 - 2500 pslg 
sensors). 

Yes, Output the message "Out-of-Range" along with the "process 
representation" signal. On the CRT place an asterisk (•) 
preceding the "process representation". 6b to step 1 and 
repeat the algorithm. 

No, go to step 1 and repeat the algorithm. 

Note: "Out-of-range" Informs the operator that the actual 
pressure may be higher or lower than the sensor Is 
capable of measuring. 



CLAIMS 

1. A method of data processing to display monitoring 
information about critical plant functions in a power plant 
having a steam supply system including a multiplicity of 
5 components which operate together to perform critical plant 
functions; means for measuring plant operating variables 
and for generating operating parameter signals from said 
measured variables; a control room including data 
processing means responsive to the operating parameter 
10 signals for displaying monitoring information including 
parameter values and parameter alarms to the operator; 
means responsive to the operating parameter signals for 
automatically initiating operation of safety related 
components upon the occurrence of certain abnormal events, 
15 means by which the operator can control safety related 
components, and means by which the operator can control 
components relating to power generation in the plant; 
the method comprising: 

storing a hierarchy of display pages including 
20 an apex page containing a matrix of a plurality of 

descriptors indicative of a respective plurality of plant 
critical functions including safety related critical 
functions which must be accomplished to keep the plant in a 
safe, stable condition whereby the health and safety of the 
25 public is preserved, and critical mission functions which 
must be accomplished in order to ensure uninterrupted power 
generation in the plant, 

a first level display page containing a hierarchical 
directory of each critical function descriptor and a 
30 plurality of critical function success path descriptors 
associated with each critical function, wherein each 
success path descriptor represents a configuration of plant 
components that can perform the associated critical 
function, 

35 a plurality of second level display pages, 

corresponding respectively to each critical function and 
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containing information on the current operating state, 
availability, and current performance of the component 
configurations for each success path, and 

a plurality of third level display pages containing 
5 detailed diagnostic information for the success path 
components ; 

continuously determining the status of the critical 
functions by comparing parameter signals against plant 
critical function acceptance criteria; 
10 highlighting a particular critical function 

descriptor on the apex page when the acceptance criteria 
for the particular critical function is not satisfied; and 

presenting to the operator means for accessing the 
first, second, and third level display pages whereby the 
15 operator can diagnose the success paths relating to the 
highlighted critical function descriptor. 

2. A method as claimed in claim 1 including displaying 
on the apex page at least one key parameter representing 
each critical function and an alarm descriptor with the key 

20 parameter display when a parameter alarm associated with 

the key parameter arises, and 

the status of at least one success path for each 

critical function, including the state and controllability 

of the associated component configuration, and an alarm 
25 descriptor with the status when the success path is 

unavailable or underperf orming . 

3. A method as claimed in claim 2 wherein the status 
display of each success path on the apex page comprises a 
geometric figure with shape, texture, and colour coding. 

30 4. A method as claimed in claim 2 or claim 3 wherein the 
shape coding is hoi low/ solid to indicate active/ inactive 
status , and 

the colour coding is green/red to indicate (closed or 
off /open or on) and yellow to indicate a parameter alarm. 
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5. A method as claimed in any one of claims 1 to 4 
wherein each success path descriptor on the directory is 
touch sensitive such that by touching any one of such 
descriptors, the operator can retrieve the second level 

5 display page associated with said touched success path 
descriptor. 

6. A method as claimed in any one of claims 1 to 5 
wherein the plant can be operated in any of a plurality of 
modes and the critical function acceptance criteria is 

10 dependent on the plant operating mode including power 
production and post trip modes. 

7. A method as claimed in any one of claims 1 to 6 
wherein each of the second level displays includes a time 
trend of the key parameter of the associated critical 

15 function. 



8. A method as claimed in any one of claims 1 to 7 
wherein each of the second level displays includes a high 
level mimic diagram of the success paths for the associated 
critical function. 

9. A method as claimed in any one of claims 1 to 8 
including continuously displaying said apex display, on a 
large, centrally located display screen visible throughout 
the control room, and 

accessing said first, second and third level displays 
on at least one operator's panel including another display 
screen. 

10. A method as claimed in claim 9 wherein the status, 
availability and performance information is displayed on 
the apex display, and 

the display screen on the operator's panel can 
display the apex display. 
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11. A method as claimed in any one of claims 1 to 10 
including 

continuously determining the status of the crxtxcal 
function success paths including the availability, current 
5 operating state, and current performance of critical 
function success paths and delivering the results for 
storage in said means for storing; 

generating a success path unavailability alarm if a 
success path cannot be actuated to achieve minimum 
10 acceptable performance criteria; and 

generating a success path performance alarm if a 
success path is actuated but the guality of performance is 
below a minimum acceptance criteria. 

12. An operating method for a power plant having a steam 
15 supply system including a multiplicity of components which 

operate together to perform critical plant process 
functions in a plurality of plant operating modes; means 
for measuring plant process and component operating 
variables and for generating parameter signals from said 

20 measured variables; a control room including data 

processing means responsive to the parameter signals for 
displaying monitoring information including parameter 
values and parameter alarms in response to abnormal 
parameter signals, to the operator on at least one display 

25 screen, protection means responsive to the operating 

parameter signals for automatically initiating operation of 
safety related components upon the occurrence of certain 
abnormal events, means by which the operator can control 
safety related components, and means by which the operator 

30 can control components relating to power generation in the 
plant , 

the method enabling the operator to use the data 
processing means to diagnose plant disturbances that 
challenge the ability of the plant to perform the critical 
35 functions and comprising: 
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displaying on one of said screens, an apex page 
containing, 

a matrix of a plurality of descriptors indicative of 
a respective plurality of plant critical functions 
5 including safety related critical functions which must be 
accomplished to keep the plant in a safe, stable condition 
whereby the health and safety of the public is preserved, 
and critical mission functions which must be accomplished 
in order to ensure uninterrupted power generation in the 
10 plant, 

a plurality of descriptors indicative of a plurality 
of critical function success paths associated with each 
critical function, wherein each success path descriptor 
represents a configuration of plant components that can 
15 perform the associated critical function; 

automatically monitoring the parameter signals for 
key parameters representative of each critical function 
process and continuously checking the monitored key 
parameters against mode and event dependent acceptance 
20 criteria; 

if a particular critical function does not meet 
acceptance criteria because of an abnormal parameter signal 
associated with a component in a system that is expected to 
perform the critical function, generating a critical 
25 function alarm signal specific to said particular critical 
function and indicating an alarm condition in said first 
matrix at the descriptor for said particular critical 
function; 

automatically monitoring the availability, operation 
30 state and performance of the critical function success 

paths against mode and event dependent acceptance criteria; 

if a particular critical function success path does 
not satisfy the acceptance criteria because of an abnormal 
parameter signal for a particular component in the success 
35 path configuration, generating a success path alarm signal 
specific to said particular success path and indicating an 
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alarm condition on the apex page at the descriptor for said 

particular success path; 

storing for selection and display by the operator on 

another of said screens, 

5 a first level display page containing a hierarchical 

directory of each critical function descriptor and a 
plurality of critical function success path descriptors 
associated with each critical function, wherein each 
success path descriptor represents a system configuration 
10 of plant components that is capable of performing the 
associated critical function, 

a second level of display pages, corresponding 
respectively to each critical function and containing 
information on the current operating state, availability, 

15 and current performance of the system component 

configuration for each success path associated with the 

critical functions, and 

a third level of detail page containing detailed 
diagnostic information for the components of the success 
20 path system associated with a second level display page; 

in the event a critical function alarm or success 
path alarm is generated and indicated on said apex page, 
storing a correlated alarm indicator 

at the critical function descriptor and success path 
25 descriptor of the first level display page, 

at the success path system component configuration in 
the second level display page for the system in which the 
parameter signal causing the alarm originated, 

on the third level display page containing 
30 information on the components from which said abnormal 
parameter signal originated as a result of the plant 
disturbance; 

while viewing an alarmed descriptor on the apex 
display page, selecting the first level display page for 
35 display at said another one of said screens, whereby while 
viewing the first level display page, the operator can 
observe the hierarchical relation among the correlated 
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alarm indicator, the critical function descriptors, and the 
success path descriptors; 

while viewing the first level display page, selecting 
the second level display page containing the system in 
5 which the abnormal parameter alarm is present, for display 
at said one of said screens; 

after the step of selecting the second level display 
page, selecting a third level display page that contains 
the diagnostic information associated with the component 
10 from which the abnormal alarm parameter signal originated. 

13. A method as claimed in claim 12 wherein 

the apex display page is on a large screen that is 
visible throughout the control room, and 

said another screen is at an operator's panel in the 
15 control room. 

14. A method as claimed in claim 13 wherein 

the apex display page can be selectively displayed by 
the operator on said another screen, and 

while viewing the apex display page on said another 
screen, the operator selects and displays the first level 
display page on said one screen. 



20 



15. A method as claimed in any one of claims 12 to 14 
further including the steps of 

storing for selection and display by the operator on 
25 one of said screens, 

an alternate first level display page for each major 
system (primary, secondary, power control, electrical, and 
auxiliary) containing a hierarchical directory of a 
descriptor for each major system and a plurality of 
30 subsystem descriptors for each system, wherein each 
subsystem descriptor represents a subsystem of plant 
components of said major system, 

an alternate second level of display pages, 
corresponding respectively to each major system and 
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containing information on the parameters associated with 

the major §y§tem, and 

an alternate third level of display page containing 
detailed diagnostic information for the components of the 
5 system associated with a second level display page; 

displaying on each alternate first, second, and third 
display pages, an alarm descriptor indicative of the origin 
of the alarmed parameter; 

displaying on the apex display page, a menu 
10 containing touch responsive images for the operator to 
access and display on said other screen, any one of the 
first or alternate first display pages, 

displaying on said accessed and displayed page, a 
touch sensitive image for the operator to access and 
15 display a second level or alternate second level display 
page. 

16. A method as claimed in any one of claims 12 to 15 
including displaying on said apex display page, symbols 
indicative of the status of a preferred success path for 

20 each critical function. 

17. A method as claimed in claim 16 including displaying 
the status of the success path with distinct symbols 
indicative of the operating state (on/off or 
active/inactive), and controllability (the ability of the 

25 operator or protection means to change the operating 
state ) . 

18. A method as claimed in claim 17 including displaying 
the symbols with shape coding. 

19. A method as claimed in claim 1 or claim 12 

30 substantially as herein described with reference to the 
accompanying drawings. 
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